On Wed, Jan 10, 2001 at 01:09:09PM +0300, Oleg Amiton wrote:
> Hi, all!
>
> Can you clear me one question about certificate verification?
> My SSL-enabled server, written with OpenSSL-0.9.6, accepting client
> (browser) connections with SSL_CTX ctx, previously initialized as:
>
> int VerifyMode = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
> SSL_VERIFY_CLIENT_ONCE;
> int VerifyDepth = 6;
> SSL_CTX_set_verify(ctx, VerifyMode, SSL_verify_callback);
> SSL_CTX_set_verify_depth(ctx, VerifyDepth);
>
> however server asks for client certificate at _every_ connection -
> browser displays corresponding dialog.
> What I do wrong? Is SSL_VERIFY_CLIENT_ONCE not sufficient condition to
> ask certificate
> only once?
The "once" applies for re-negotiation within the same session.
If a new connection is opened and the session is not cached, a new
session is negotiated and the certificate window will pop up again.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
