Hello, > In my case I don't know who the special clients are, until they send > their credentials. Only the clients know in advance that they are special. > > Is it possible for a client to unilaterally provide credentials without > the server explicitly requesting them? If that were possible, I could > stop requesting credentials from all clients. According to SSL3/TLS1 specification server decides to request client authentication or not. Client authentication is triggered by server by sending to client CertificateRequest handshake packet (in first client connection or in re-handshake (renegotiation)).
> I can also operate a separate service port for clients that need to > send credentials, but if I can avoid it, and not lose connectivity > with misconfigured clients, I'd like to explore that option. I think that in this situation only modifying OpenSSL code may help. (workaround against bad configured client) - but this may only complicate things. There are some SSL record layer callbacks in OpenSSL which may be used but this is bad solution :-) Best regards, -- Marek Marcola <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
