[guest - Thu Jun 13 10:52:54 2002]:
> if this callback is > called only once, how can we assure TLS compliance ? I thought that it > should be possible > to react to a servers request by dynamically choosing from the list of > acceptable CA's > it attaches ? The certificate (and private key) are only stored into the SSL object, not into the SSL_CTX object. Therefore it will go away, if you SSL_free() the old SSL object and create another one with SSL_new() for the next connection. As you can see from the manual page (old or revised version), I have written a pretty long BUGS section. I think, that the API is simply not suitable for the purpose it was intended to. The whole structure of the SSL/SSL_CTX certificate handling was intended to handle single RSA certificates. The way certificate chains are handled is nonsense and does break with the client_cert_cb anyway. The certificate storage must be revised. It is on my mental to-do list for 0.9.8 (I should check in an according ticket myself :-) Best regards, Lutz PS. Why was it realized this way? I don't know. I only wrote the manual page from reverse engineering. And as you could see from the thread, it is so strange, that I rather wrote down what I expected instead of what it really did. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]