-----BEGIN PGP SIGNED MESSAGE-----
Thanks for the insights. I'm looking forward to the next versions... :-) Best regards, Erik - -----Original Message----- From: Lutz Jaenicke via RT [mailto:[EMAIL PROTECTED]] Sent: Thursday, June 13, 2002 11:03 AM To: Sohns Erik Cc: [EMAIL PROTECTED] Subject: [openssl.org #95] SSL_CTX_set_client_cert_cb error ? [guest - Thu Jun 13 10:52:54 2002]: > if this callback is > called only once, how can we assure TLS compliance ? I thought that it > should be possible > to react to a servers request by dynamically choosing from the list of > acceptable CA's > it attaches ? The certificate (and private key) are only stored into the SSL object, not into the SSL_CTX object. Therefore it will go away, if you SSL_free() the old SSL object and create another one with SSL_new() for the next connection. As you can see from the manual page (old or revised version), I have written a pretty long BUGS section. I think, that the API is simply not suitable for the purpose it was intended to. The whole structure of the SSL/SSL_CTX certificate handling was intended to handle single RSA certificates. The way certificate chains are handled is nonsense and does break with the client_cert_cb anyway. The certificate storage must be revised. It is on my mental to-do list for 0.9.8 (I should check in an according ticket myself :-) Best regards, Lutz PS. Why was it realized this way? I don't know. I only wrote the manual page from reverse engineering. And as you could see from the thread, it is so strange, that I rather wrote down what I expected instead of what it really did. -----BEGIN PGP SIGNATURE----- Version: Biodata SecureDesk OpenPGP CryptoEngine Version 2.1 Comment: Biodata SecureDesk - http://securedesk.biodata.com iQCVAwUBPQhhx+z8EkQvFX15AQFxNgP+MOu+/RmoJhV47aQAhart6oSPHGAgTbPi 9OL9GW2tH6plfZznfeHqd57BUFggN97PaHKdGtOkMQvtfM1a9pKgk2cb5rzaS9lv i+OAjLCn8qn7LotFBo/tmzIs3n/l1oJ9523U8Lz+qjg9mHHZtAh18dIL5xQ6c3FR qrcA/d71oTs= =vjCD -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]