On Tue, Jul 21, 2015, Victor Wagner wrote:

> On Tue, 21 Jul 2015 06:58:24 +0000 (UTC)
> Anirudh Raghunath <anirudhraghun...@rocketmail.com> wrote:
> 
> As far as I can understand, this function is designed to be called from
> the client certificate callback, set with function
> SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure
> (which should be passed to ENGINE_load_ssl_client_cert) and can use
> SSL_get_client_CA_list to obtain list of CAs, which server would trust.
> (SSL protocol allows to send this list to client).
> 

It's intended to be called automatically when SSL_CTX_set_client_cert_engine
sets up a "client authentication ENGINE".

> So, you would pass to the ENGINE_load_ssl_client_certs
> 
> 1. reference to engine to use
> 2. pointer to SSL object of your client connection (don't know why it
> might be needed), 

This is there so the ENGINE can query other properties of the connection which
might decide which chain to use. For example the supported signature
algorithms.

> 
> Unfortunately, I do not know any engine which does all the things above.
> I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found
> out that it doesn't support this function.
> 

The CrytpoAPI ENGINE performs some of these tasks but so far it is the only
one I'm aware of.

Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to