Re: How server can get client certificate?

[Peter Kim]

I'm moving this to openssl-users mailing list. ==== Does your server even ask for a client certificate? I mean... did you set the verify mode to SSL_VERIFY_PEER?  If you haven't done so, your server is not client-authenticated, which means it won't even ask for a client certificate.  The default mode is SSL_VERIFY_NONE, I think. The call you want to make is something like:   SSL_CTX *ctx = SSL_CTX_new( method );   /* don't request cert during re-negotiation */ int server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE; or /* insist on verification */ int server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT; or you can even mix the two: int server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE;   SSL_CTX_set_verify( ctx, server_verify, verify_callback );   server_verify is just a variable name I chose for this example.  Anything will do. You can find an example of verify_callback routine in s_cb.c file in OpenSSL 'apps' directory.  s_server.c and s_client.c in the same directory have some example of how to implement various things although there's a warning about using those as examples. ------------------------------------------------- Peter Kim Software Developer Xcert International Inc. URL: http://www.xcert.com homepage: http://home.xcert.com/~pckim ph 604 640 6210 ext 268   Explicitly trust my certificate or download the Xcert Internal Repository CA to verify my signature. URL: https://wsca.xcert.com:444/send-ca-cert.xuda?CA=3fb7cf984e10a9c46c5ac9deab0bf6f2 ------------------------------------------------- ----- Original Message ----- From: techinfo To: [EMAIL PROTECTED] Sent: Thursday, August 03, 2000 6:40 AM Subject: How server can get client certificate? Hi:    Our client have get the server's certificate. But the server can't to get the client's certificate. (client have a correct certificate) Why? How to do? We need your help!       Best Regards!   TechInfo Group