When I specify the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag to SSL_CTX_set_verify, it has the intended effect if I set it on the server side; a client not presenting a cert is rejected. Setting this on the client side does not appear to have the same effect; a server that does not present a cert is still allowed to connect, so long as ADH ciphersuites are enabled. Looking through the code, s3_srvr.c has code that does this checking, whereas s3_clnt.c lacks it. Should a client side SSL_CTX understand/implement the FAIL_IF_NO_PEER_CERT flag?
Tom -- Tom Wu Principal Software Engineer Arcot Systems (408) 969-6124 "The Borg? Sounds Swedish..." ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
