Stephen Henson wrote: > > In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says... > > Henrik, > > > > Henrik Gemal wrote: > > > How does Mozilla select certificates to show to a webserver when the > > > server asks for a certificate? > > > > The web server firstsends Mozilla a list of valid CA certificates from > > which it will accept client cert. > > > > Although a server sending an empty list is strictly speaking illegal in > SSL/TLS some implementations will tolerate it and interpret it as "any > CA". > > No idea if Mozilla does though... > > Steve. > -- > Dr Stephen N. Henson. > Core developer of the OpenSSL project: http://www.openssl.org/ > Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ > Email: [EMAIL PROTECTED], PGP key: via homepage.
Until recently, NSS treated a cert request with an empty set of CA names as an error. Now, in the most recent versions (3.7 and later, IIRC), it allows zero-length lists, and passes them up to application's cert selection callback function. I don't know what mozilla (the browser application) does when it receives a zero-length CA name list. This change to NSS was made in response to the Internet Draft revision to RFC 2246. ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-tls-rfc2246-bis-03.txt As presently drafted, TLS 1.1 will explicitly allow zero length CA name lists. -- Nelson Bolyard Netscape Communications (subsidiary of AOL) Disclaimer: I speak for myself, not for Netscape
