https://issues.apache.org/bugzilla/show_bug.cgi?id=47492
--- Comment #4 from Paul Donohue <[email protected]> 2010-04-14 09:17:10 EDT --- But optional_no_ca always asks for a certificate as well. The only difference between require and optional is that require sets the SSL_VERIFY_PEER_STRICT mode on SSL_CTX_set_verify (in ssl_engine_init.c) while optional only sets the SSL_VERIFY_PEER mode. SSL_VERIFY_PEER_STRICT is defined (in ssl_private.h) as SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT. And if you read the SSL documentation (http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html), SSL_VERIFY_FAIL_IF_NO_PEER_CERT simply causes SSL to drop the connection if no cert is available. But in either case, it ALWAYS asks for a cert. Therefore, the only difference between optional_no_ca and require_no_ca is that require_no_ca will drop the connection automatically if no cert is provided, while optional_no_ca will accept the connection and just not set the SSL_CLIENT_CERT variable. So if you are implementing your own verify method, why not just use optional_no_ca and check for an empty SSL_CLIENT_CERT yourself? (In reply to comment #3) > require Always ask for client certificate and always verfy with ca > optional_no_ca some times ask for certificate other dont and never verify with > ca > and this option require_no_ca always ask for a certificate and never verify > its > very useful whe you need to ask for a cert but you want to implement you own > verify method (like me). > > This version have a bug but > https://issues.apache.org/bugzilla/show_bug.cgi?id=49037 > works great. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
