On Sat, 9 Dec 2023 at 03:57, <[email protected]> wrote: > > > > > Hmm. Maybe I should polish the two scripts I was using, and then put > > them into the SSL module somewhere as examples. There are quite a few > > subtleties (like that you won't see client certs unless you set > > "ctx->auth_level = SSL.Constants.AUTHLEVEL_ask" on the server side) > > and I would really have appreciated an example like that. > > > > There's a lot of black magic in TLS, and Client certificate handling is > deceptively complicated, and there isn't really a one size fits all > solution. A lot of clients (web browsers particularly) won't provide a > certificate, even if they have one, unless the server auth level is set > to require. In a situation where you plan to use the certificate for > authentication, it's best to set the level to require, otherwise users > may find themselves failing to authenticate despite having configured a > certificate. > > Bill
Yeah, "ask" or "require", else the client won't offer it. It makes sense, I guess, but definitely means it would be worth having at least one example somewhere for people to refer to. I'll see what I can do to add different use-cases and annotations to the script before inclusion. One part that I'm still very iffy on is certificate authorities. For my own usage, I hard-coded the one authority that signed the certs I'm using, but for a proper example, I'll have to look into how authority checking is done for server certs and imitate that. ChrisA
