I have a client that masquerades as different virtual clients and thus needs to present a different certificate to a server based on some internal policy.
For instance, consider a client that hosts two virtual domains: foo.com and bar.com. When initiating requests from a user in foo.com domain, the certificate that the client provides to the server would have keying material pertinent to the foo.com domain. Likewise, for the bar.com domain. To facilitate name-based virtual servers, TLS has extensions that allow a client to specify a server name when a TLS connection is formed to the server. The server can then present the right certificate to the client. I am doing the same thing, except that it is being done on the client, not the server. Has anyone done this before? One way to do this is as follows: before the client forms a TLS connection to the server, it will invoke SSL_CTX_use_certificate_chain_file() to load the appropriate certificate in the SSL context. When done, it unloads the file. Does anyone see something blatantly wrong with this? Or a better way to accomplish what I want to do? Thanks, - vijay -- Vijay K. Gurbani [EMAIL PROTECTED],research.bell-labs.com,acm.org} Bell Laboratories, Lucent Technologies, Inc. 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
