The fingerprint check should be done where certificate validation would be done. This is typically done within the handshake itself, because if the validation fails you do not want to send or receive data on the connection. I suppose you could implement the check after the handshake, but you need to make sure you do not send or receive application before successful validation has occurred.
Joe > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rainer Gerhards > Sent: Monday, May 19, 2008 2:31 PM > To: [email protected] > Subject: [Syslog] Fingerprint/handshake > > Quick question: must the fingerprint check be done as part of > the TLS handshake? Or must (can?) it be done after the > handshake completed? > > From the draft i got the impression it must be done inside > the handshake and handshake must fail if fingerprint auth fails. > > A clarification would be most appreciated. > > Thanks, > rainer > _______________________________________________ > Syslog mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
