On 08/02/16 14:36, Viktor Dukhovni wrote: > >> On Feb 8, 2016, at 9:26 AM, Matt Caswell <m...@openssl.org> wrote: >> >> SSL_renegotiate(ssl); >> SSL_do_handshake(ssl); >> do { >> read_some_app_data(); >> if(no_client_cert_yet()) { >> discard_app_data(); >> } >> } while(no_client_cert_yet()); > > At what point in the handshake would a query for client > certificates show their presence? Is it always strictly > after the new "finished" message? An additional check for > the completion of the handshake may be appropriate. >
Actually, yes that is a good point. There could be some subtle security issues there. You probably need to additionally check that you are not halfway through a handshake: SSL_renegotiate(ssl); SSL_do_handshake(ssl); do { read_some_app_data(); if(no_client_cert_yet() || SSL_in_init(ssl)) { discard_app_data(); } } while(no_client_cert_yet() || SSL_in_init(ssl)); Matt -- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev