On Sat, Nov 23, 2013, Nabla C0d3 wrote: > Hi, > > I would like my SSL client to be able to detect when the server it's > connecting to requested a client cert. If the client doesn't provide a > cert, the SSL handshake fails with "SSL alert number 40". However, AFAIK > this error could be triggered by other problems with the handshake, so I > can't use this alert to deduce that the handshake failed because my client > didn't provide a cert. > > One way to detect this is to call SSL_get_client_CA_list() but there are > servers that require a client cert and don't even return a CA list, so this > is not reliable. > > How can my client detect that a handshake failed because the server > requires a client certificate and it didn't supply one ? >
When a certifiate is requested and one is not already configured an optional client certificate callback can be called. See the manual page for SSL_CTX_set_client_cert_cb for details. The function has some limitations but they aren't relevant for your application: which would simply be to note that the callback is called and not to configure a certificate at all. Note however that this doesn't guarantee that the cause of a handshake failure is the lack of a client certiicate. A server can continue the handshake if the client doesn't send a certificate and still fail later for a different reason. I think the only way to be resonably sure is to analyse the messages or states of the client and see if you get the alert immediately after you don't send a certificate. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
