Great answer, thanks!
On Sat, Nov 23, 2013 at 4:54 PM, Dr. Stephen Henson <st...@openssl.org>wrote: > On Sat, Nov 23, 2013, Nabla C0d3 wrote: > > > Hi, > > > > I would like my SSL client to be able to detect when the server it's > > connecting to requested a client cert. If the client doesn't provide a > > cert, the SSL handshake fails with "SSL alert number 40". However, AFAIK > > this error could be triggered by other problems with the handshake, so I > > can't use this alert to deduce that the handshake failed because my > client > > didn't provide a cert. > > > > One way to detect this is to call SSL_get_client_CA_list() but there are > > servers that require a client cert and don't even return a CA list, so > this > > is not reliable. > > > > How can my client detect that a handshake failed because the server > > requires a client certificate and it didn't supply one ? > > > > When a certifiate is requested and one is not already configured an > optional > client certificate callback can be called. See the manual page for > SSL_CTX_set_client_cert_cb for details. The function has some limitations > but > they aren't relevant for your application: which would simply be to note > that > the callback is called and not to configure a certificate at all. > > Note however that this doesn't guarantee that the cause of a handshake > failure > is the lack of a client certiicate. A server can continue the handshake if > the > client doesn't send a certificate and still fail later for a different > reason. > I think the only way to be resonably sure is to analyse the messages or > states > of the client and see if you get the alert immediately after you don't > send a > certificate. > > Steve. > -- > Dr Stephen N. Henson. OpenSSL project core developer. > Commercial tech support now available see: http://www.openssl.org > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
