After thinking about it I realized that was a silly suggestion - openssl.cnf is used by the command line client which is in the application realm - we are talking the libraries themselves here (which, as you have stated, know nothing about what the application is doing) so that obviously won't work.
I'll have to think about this for a bit. Anyway, thanks for the clarifications! Ben -----Original Message----- From: CASTELLUCCI, BEN CIV DFAS Sent: Thursday, May 24, 2012 11:21 AM To: openssl-users@openssl.org Subject: RE: pkcs11 Certificate Selection Dialog Thank you for the reply - all of that makes perfect sense. And I am fairly certain it is because each operation is a new execution of the application. Is there a possibility of maybe controlling this behavior with an external file, such as openssl.cnf? What I mean is maybe there could be a key in that file specifying the index to choose. That way, if the key is present, the certificate at the specified index will be used and the user would never get prompted. If there were some problem with the certificate at the specified index or the key doesn't exist then it would fall back to the prompt. Let me know any thoughts on this. Thanks! Ben -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, May 24, 2012 9:52 AM To: openssl-users@openssl.org Subject: Re: pkcs11 Certificate Selection Dialog On Thu, May 24, 2012, CASTELLUCCI, BEN CIV DFAS wrote: > Greetings. > > Applications that make use of OpenSSL and deal with smart cards prompt > the user to select a client certificate to use via a modal popup > dialog window when there is more than one client certificate in the > store that would satisfy the request. There does not seem to be a way to 'cache' > the choice. Since the choice is not 'remembered' the user is > continually prompted during back-to-back operations that require the > client certificate. A pkcs11-enabled version control client > (Subversion) is a good example. A simple commit may produce a half-dozen or more prompts. > > Is there currently a way to 'remember' the decision? > > Let me know any thoughts. > I'd assume this is a reference to the OpenSSL CryptoAPI ENGINE which can throw a modal dialog box to select certificates if compiled with certain options. If it is the same instance of the same application then this shouldn't happen as the server should cache the session and not require signing for resumed sessions. If you do get them it points to problems with session caching on the server. If the application is restarted several times without session resumption then OpenSSL has no way of knowing what the appropriate choice is as they all look independent as far as the OpenSSL back end is concerned. A kind of memory may be possible in future but it isn't currently supported. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
