On Tue, 14 Apr 1998 [EMAIL PROTECTED] wrote:
> SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 0);
>
> If I set this flag, and the negotiated cipher is DH anon then I get
> a connection failure. Is the correct behaviour? Since I'm using
> DH anon I wouldn't have thought this is correct.
hmm... well you will no get a client cert from anon-DH, so you should
not ask for one, but then how do you know that you will be using
anon-DH if it is but one of many ciphers? I'll stick with the current
behaviour since it will protect against bad things more. It basically says
we MUST get a peer certificate.
The solution is to remove the VERIFY_FAIL_IF_NO_PEER_CERT and
to check for a peer certificate after the handshake has finished.
If no certificate, then close the connection. This type of thing is done
by quite a few web servers. You always accept the connection, then respond
with a error page if the ciphers/cert are not upto scratch.
eric
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
