On Jul 26, 2010, at 12:55 PM, Bryan Boone wrote: > I would like to write an LDAP client that when a user connects to an LDAP > server with SSL, that the client cert is automatically downloaded to the > client. Then a prompt asks the client to accept or reject the cert. Is this > possible when using the OpenSSL C libraries?
Do you mean the client cert (the certificate that the client has, which it uses to prove its identity to the server --- a relatively rare setup) or the server cert (the certificate that the server has, which it uses to prove its identity to the client --- a very common setup)? If the latter, I think what you want to do is set a verify callback on the SSL context using SSL_CTX_set_verify(). The callback will be given the opportunity to decide whether to trust a given certificate, which you can do by prompting the user if you like. Keep in mind that in the general case you actually have a whole chain of certificates to consider --- from the certificate authority (which, in the X.500 world, is what you actually trust) to the server (which you're actually talking to). ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
