[guest - Thu Jun 13 10:52:54 2002]:
> if this callback is
> called only once, how can we assure TLS compliance ? I thought that it
> should be possible
> to react to a servers request by dynamically choosing from the list of
> acceptable CA's
> it attaches ?
The certificate (and private key) are only stored into the SSL object,
not into the SSL_CTX object. Therefore it will go away, if you
SSL_free() the old SSL object and create another one with SSL_new() for
the next connection.
As you can see from the manual page (old or revised version), I have
written a pretty long BUGS section. I think, that the API is simply not
suitable for the purpose it was intended to. The whole structure of the
SSL/SSL_CTX certificate handling was intended to handle single RSA
certificates. The way certificate chains are handled is nonsense and
does break with the client_cert_cb anyway.
The certificate storage must be revised. It is on my mental to-do list
for 0.9.8 (I should check in an according ticket myself :-)
Best regards,
Lutz
PS. Why was it realized this way? I don't know. I only wrote the manual
page from reverse engineering. And as you could see from the thread,
it is so strange, that I rather wrote down what I expected instead of
what it really did.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
