That is very helpful. So it looks like there are 2 options, either selecting the first certificate or using the dialog.
If looks like there is a callback (client_cert_select) on the CAPI_CTX, which you can get from ENGINE_get_ex_data if you know the index (which seems to be static to the e_capi.c file). Is there an clean way to what I want or do I have to hack it and look at the engine->ex_data->sk and make a guess at it? -------- Thomas Fili -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dr. Stephen Henson Sent: Thursday, July 26, 2012 6:42 PM To: openssl-users@openssl.org Subject: Re: Help with client certificates On Wed, Jul 25, 2012, Fili, Tom wrote: > I'm trying to setup my application to allow for the use of client > certificates. I am using the capi engine to pull from the Windows store. > > I setup my ssl connection and it works fine if I set the correct > certificate using SSL_CTX_use_certificate_ASN1 & > ENGINE_load_private_key. > > >From what I've read, in the SSL handshake where client certificates > >are > required, the server actually sends back a list of CAs that it accepts. > Is there something I can do after SSL_do_handshake or something I can > do in place of it to get that list of CAs, so I can filter the list I > display to the user (similar to the certificate dialogs you see in a > browser). > There is an automatic client certificate selection feature in the capi ENGINE. You just pass the ENGINE parameter to SSL_CTX_set_client_cert_engine. If OpenSSL is compiled with the OPENSSL_CAPIENG_DIALOG it will also display a dialog box. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
