Eric, I loved your book. Ordered it from B&N as soon as I saw it. Helped me overcome some early initial mindblocks when first integrating with OpenSSL. For those of you reading this, Erik's book is titled: SSL and TLS - Designing and Building Secure Systems and is published by Addison-Wesley.
After reading your reply, I agree that the server should be receiving an alert prior to the FIN indicating the error condition which occurred on the client. Perhaps I should have qualified that my expectations of an HTTP SSL connection from a client should not hold a connection open on a server while the user waits god-knows-how-long to decide whether to accept a cert or not. Most users don't have a clue why they see that dialog box anyway. However, you realize that no session prior to this point would have been established on the server for that user as the cert was not previously authenticated... -----Original Message----- From: Eric Rescorla [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 04, 2001 2:36 PM To: [EMAIL PROTECTED] Subject: Re: SSL_read() never returns an error if client rejects certifica te Neff Robert A <[EMAIL PROTECTED]> writes: > Rick, > Actually, the retardedness is due to the netscape browser > not terminating the network connection while waiting for > the user's input. Micro$oft IE implements that behaviour > properly by terminating the connection, waiting for the > user to accept the cert, then will reconnect once accepted. > Chalk one up for Microsoft for server friendliness... Actually, MS's behavior is widely believed to be inferior because the server has no way of knowing what went wrong: the client just shut down the connection. By contrast, if you reject the certificate Netscape will send a bad_certificate alert. Worse yet, the client fails to send a close_notify before sending a TCP FIN. A truly compliant SSL server (which most are not) would discard the session, thus forcing a complete rehandshake when the client connects. This doubles the compute cost to the server. Whether sockets or CPU time is more precious to the server depends on the server. -Ekr [Eric Rescorla [EMAIL PROTECTED]] Author of "SSL and TLS: Designing and Building Secure Systems" http://www.rtfm.com/ ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ***************************************************************** DISCLAIMER: The information contained in this e-mail may be confidential and is intended solely for the use of the named addressee. Access, copying or re-use of the e-mail or any information contained therein by any other person is not authorized. If you are not the intended recipient please notify us immediately by returning the e-mail to the originator. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
