<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Hi Timo,<br>
<blockquote cite="mid1150108477.17524.549.camel@localhost.localdomain"
type="cite">
<pre wrap="">Yes. Or if it's FAIL_IF_NO_PEER_CERT and the cert is invalid, what
happens? Does it disconnect immediately? I haven't tried.
</pre>
</blockquote>
if ssl_verify_client_cert() in ssl-proxy-openssl.c return 0 the
connection is immediately dropped, if it returns 1 the error (no client
cert, cert revoked, crl expired etc.) is ignored. But I haven't
experimented much with it, in particular, i'm not certain if it
disconnects with SSL_VERIFY_CLIENT_ONCE and no peer certificate, i
think it should, but i haven't tested it... (i'll test it tonight)<br>
<blockquote cite="mid1150108477.17524.549.camel@localhost.localdomain"
type="cite">
<pre wrap=""></pre>
<blockquote type="cite">
<pre wrap="">Maybe the valid-client-cert-feature
can have a conf.file switch, or a #define in the sourcecode, what's your
opinion?
</pre>
</blockquote>
<pre wrap=""><!---->
Well, at least I want to avoid adding more options to config file.. Why
do you think it's so much better to disconnect immediately? Do clients
then give good error messages if that happens?
</pre>
</blockquote>
The main reason is that I thought it would be better to drop an
unwanted connection as soon as possible...<br>
<br>
Clients should receive errors like "certificate revoked", but I'll try
generating some errors and see what really happens...<br>
<br>
<blockquote cite="mid1150108477.17524.549.camel@localhost.localdomain"
type="cite">
<pre wrap="">
One possibility would be to send also the ssl_require_valid_client_cert
setting to the login process, and disconnect immediately if that's yes.
One problem with that is however that it's possible to have multiple
auth blocks with different ssl_require_valid_client_cert values, so the
code would have to check that all of them have it.
</pre>
</blockquote>
Another option is to leave it the way it is, and place a small comment
in the sourcecode (or Wiki) which explains the other behaviour. ;-) <br>
<br>
<pre class="moz-signature" cols="72">--
groeten,
HenkJan Wolthuis
</pre>
</body>
</html>