I'm not entirely certain what you're asking here. Usually, clients have a list of CAs that they trust, and a list of personal certificates to which they have the private keys. If a server requests a certificate and gives a certain CA, the client can automatically send the certificate they have from that CA (or a choice of more than one); if the server says it accepts more than one CA, the client can send from any of those or none.
The TLS (and SSL) protocols already basically have given the power to the client, not the server. The server's security policy is what controls what little power it has. -Kyle H On 8/10/06, Vijay K. Gurbani <[EMAIL PROTECTED]> wrote:
I have a client that masquerades as different virtual clients and thus needs to present a different certificate to a server based on some internal policy. For instance, consider a client that hosts two virtual domains: foo.com and bar.com. When initiating requests from a user in foo.com domain, the certificate that the client provides to the server would have keying material pertinent to the foo.com domain. Likewise, for the bar.com domain. To facilitate name-based virtual servers, TLS has extensions that allow a client to specify a server name when a TLS connection is formed to the server. The server can then present the right certificate to the client. I am doing the same thing, except that it is being done on the client, not the server. Has anyone done this before? One way to do this is as follows: before the client forms a TLS connection to the server, it will invoke SSL_CTX_use_certificate_chain_file() to load the appropriate certificate in the SSL context. When done, it unloads the file. Does anyone see something blatantly wrong with this? Or a better way to accomplish what I want to do? Thanks, - vijay -- Vijay K. Gurbani [EMAIL PROTECTED],research.bell-labs.com,acm.org} Bell Laboratories, Lucent Technologies, Inc. 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA) ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
-- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
