That is very helpful. So it looks like there are 2 options, either
selecting the first certificate or using the dialog.
If looks like there is a callback (client_cert_select) on the CAPI_CTX,
which you can get from ENGINE_get_ex_data if you know the index (which
seems to be static to the e_capi.c file). Is there an clean way to what
I want or do I have to hack it and look at the engine->ex_data->sk and
make a guess at it?
Thomas Fili
-Original Message-
From: owner-openssl-us...@openssl.org
[mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson
Sent: Thursday, July 26, 2012 6:42 PM
To: openssl-users@openssl.org
Subject: Re: Help with client certificates
On Wed, Jul 25, 2012, Fili, Tom wrote:
> I'm trying to setup my application to allow for the use of client
> certificates. I am using the capi engine to pull from the Windows
store.
>
> I setup my ssl connection and it works fine if I set the correct
> certificate using SSL_CTX_use_certificate_ASN1 &
> ENGINE_load_private_key.
>
> >From what I've read, in the SSL handshake where client certificates
> >are
> required, the server actually sends back a list of CAs that it
accepts.
> Is there something I can do after SSL_do_handshake or something I can
> do in place of it to get that list of CAs, so I can filter the list I
> display to the user (similar to the certificate dialogs you see in a
> browser).
>
There is an automatic client certificate selection feature in the capi
ENGINE.
You just pass the ENGINE parameter to SSL_CTX_set_client_cert_engine. If
OpenSSL is compiled with the OPENSSL_CAPIENG_DIALOG it will also display
a dialog box.
Steve.
--
Dr Stephen N. Henson. OpenSSL project core developer.
Commercial tech support now available see: http://www.openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
