On Wed, May 17, 2000 at 12:26:44PM +0530, Amit Chopra wrote:
> > But in s_server.c, after the two functions, there is another function:
> > SSL_CTX_set_client_CA_list(). It seems that this function has
> > something to do with client-verify.
> Hi,
> This is used when you turn on client authentication.
> You need this function to set the list of CA names that the server
> send
> to the client in 'Certficate Request' message. The client then checks
This is only necessary, if you have your CA certificates stored in
directory style, the third field in
SSL_CTX_load_verify_locations(ctx,CAfile,CApath).
In this case the CA certificate is looked up only based upon the CA
used by the client cert.
If you have all certificates in the CAfile, they are automatically sent
to ther server without SSL_CTX_set_client_CA_list().
(If you use SSL_CTX_set_client_CA_list(), this mechanism does not work
any longer, you have to supply both lists of CA, the one in CApath _and_
those in CAfile.)
> if
> it has a certificate signed by one of these CAs to send to the server.
This checking is optional. Netscape does it, don't know about other
browsers. OpenSSL does not offer this functionality automatically, you
have to realize this yourself.
> If it doesnot then, ideally the handshake should fail if client
> authentication
> is not optional.
No, the client can send any certificate it wants to send; I have just
checked out RFC2246, section 7.4.4. It is a MAY specification, not a MUST
to specify all CAs.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
