> On Sep 3, 2019, at 11:27 AM, M K Saravanan <mksa...@gmail.com> wrote:
>
> Thanks Richard for the reply. Let me rephrase my question:
>
> If a client encounter any error condition (e.g. does not have access to the
> private key for whatever reason) in generating the signature, can it send
> zero bytes in the signature field of CertificateVerify message to indicate
> the error condition? Is this allowed in TLS 1.2 RFC?
There is nothing special about an all zero or any other
sequence of characters in the signature. A signature is
either valid or not. A client that does not possess the
private key for its certificate can decline the server's
request for a client certificate, by sending a zero-length
ClientCertificate and no ClientVerify.
--
Viktor.
