Wade L. Scholine <[EMAIL PROTECTED]>:
> I have been using client verification with one CA cert by doing an
> SSL_CTX_load_verify_locations() with the file arg pointing to a filename
> and the path arg null.
>
> I want to extend this to accept client certs from multiple CAs.
> Scanning back through my archive of this list I see the following
> from Bodo Moeller, which seems to imply that what I am already doing
> should not work:
>> A likely error is that your server does not send the list of accepted CAs.
>> SSL_CTX_load_verify_locations is not enough, you also need
>> SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile))
>> (assuming that CAfile is a file that contains "PEM" format certificates
>> of all CAs that you want to accept).
> Now, this confuses me. I am not now doing a SSL_CTX_set_client_CA_list()
> (or any of the .+add_client_CA() routines) and yet when I connect to my
> server with a browser I get prompted to pick a cert.
But it's not the newest version of whatever browser you're using,
right? I think I've heard that some older browsers let the user
choose any certificate when the server has asked for a client cert but
has not provided the list of acceptable CAs (which is not legal server
behaviour according to the SSL 3.0 and TLS 1.0 specifications, and
does not work with many other browsers).
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
