Thanks, Mark. I clearly see the certificates from the client in
sendmail's log file. Here's an example:
Jun 3 13:09:14 st sendmail[18951]: STARTTLS=server,
cert-subject=/DC=com/DC=TT-eXpress/OU=Main+20Directory/CN=Mike+20Schmidt/serialNumber=17,
cert-issuer=/DC=com/DC=TT-eXpress/CN=TT-eXpress+20Root+20Authority+20CA+201,
verifymsg=ok
This is clearly my certificate used for the TLS connection. If I
understand correctly, c-client isn't doing the TLS negociation,
Microsoft SSPI is. Sometimes there's no certificate, so I guess in that
case only the server cert is checked.
I must say that I'm really pleasantly surprised by the way c-clients
handles this. It works beautifully. Now, all I need to do is get some
control over the client certs. Overall, I find my experience with
c-client to be very positive.
Thanks, Mark. I appreciate c-client more and more as I work with it.
Mike
Mark Crispin wrote:
The Windows SSL code in c-client (which uses Microsoft SSPI) doesn't
attempt to do anything about client certificates. It only validates
the server certificate. If client certificates are used at all in the
negotiation, it is SSPI/Windows that is doing that.
If you want to try to implement client certificates, the routine that
you need to modify is ssl_start() in imap-200?/src/osdep/nt/ssl_w2k.c
(maybe also ssl_nt.c and ssl_old.c).
-- Mark --
http://staff.washington.edu/mrc
Science does not emerge from voting, party politics, or public debate.
Si vis pacem, para bellum.
_______________________________________________
Imap-uw mailing list
Imap-uw@u.washington.edu
https://mailman1.u.washington.edu/mailman/listinfo/imap-uw
