On Mon, 2006-06-12 at 12:30 +0200, HenkJan Wolthuis wrote:
- ssl_verify_client_cert now returns 0 in case of an invalid cert. was there a reason why it always returned 1?
Yes. ssl_verify_client_cert=yes doesn't require the certificate to be valid. Only ssl_require_valid_client_cert=yes in auth settings does that. This allows for some people to authenticate with certificates and others to authenticate the usual way. So I dropped this part of your patch.
OK, you also changed SSL_VERIFY_FAIL_IF_NO_PEER_CERT back to SSL_VERIFY_CLIENT_ONCE, same reason?
Yes. Or if it's FAIL_IF_NO_PEER_CERT and the cert is invalid, what happens? Does it disconnect immediately? I haven't tried.
Maybe the valid-client-cert-feature can have a conf.file switch, or a #define in the sourcecode, what's your opinion?
Well, at least I want to avoid adding more options to config file.. Why do you think it's so much better to disconnect immediately? Do clients then give good error messages if that happens?
One possibility would be to send also the ssl_require_valid_client_cert setting to the login process, and disconnect immediately if that's yes. One problem with that is however that it's possible to have multiple auth blocks with different ssl_require_valid_client_cert values, so the code would have to check that all of them have it.