Michael Prinzinger: > I wrote a customized "check certificate" method, that simply compares > the certificate the client offered during the connection build up, to > the certificate we know it should be using. This works fine.
That works so long as you already know the certificate the client should be using. > However I think it would be more secure to be able to verify that the > client is actually in posession of the private key belonging to this > certificate, right? You wouldn't be verifying the certificate unless the client has already authenticated with it. > The protocol design, as I should implement it, however does not speak > about signing a part of the payload with this private key; else it > would be easy for me to do. > That is why I hope to find some OpenSSL mechanism, that would allow > me to do that independent of the payload. If you're verifying a client certificate's validity, it would only be because the client has already authenticated with that certificate. Authentication with a certificate requires the private key. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
