RFC 2246 says:
7.4.6. Client certificate
When this message will be sent:
This is the first message the client can send after receiving a
server hello done message. This message is only sent if the
server requests a certificate. If no suitable certificate is
available, the client should send a certificate message
containing no certificates.
Note that the wording is that the client SHOULD send certificate message, not MUST.
Yet, in s3_srvr.c when it gets to the ClientKeyExchange msg if no cert msg was sent,
/* If tls asked for a client cert, the client must return a 0 list */
if ((s->version > SSL3_VERSION) && s->s3->tmp.cert_request)
{
SSLerr(SSL_F_SSL3_GET_CLIENT_CERTIFICATE,
SSL_R_TLS_PEER_DID_NOT_RESPOND_WITH_CERTIFICATE_LIST);
al=SSL_AD_UNEXPECTED_MESSAGE;
goto f_err;
}
And the handshake fails. Should the code really be more tolerant and handle a client
that does not send the certificate message at all?
Erik Tkal
Funk Software, inc
replies to etkal(at)funk(dot)com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
