Hi Timo,
Yes. Or if it's FAIL_IF_NO_PEER_CERT and the cert is invalid, what
happens? Does it disconnect immediately? I haven't tried.
if ssl_verify_client_cert() in ssl-proxy-openssl.c return 0 the
connection is immediately dropped, if it returns 1 the error (no client
cert, cert revoked, crl expired etc.) is ignored. But I haven't
experimented much with it, in particular, i'm not certain if it
disconnects with SSL_VERIFY_CLIENT_ONCE and no peer certificate, i
think it should, but i haven't tested it... (i'll test it tonight)
Maybe the valid-client-cert-feature
can have a conf.file switch, or a #define in the sourcecode, what's your
opinion?
Well, at least I want to avoid adding more options to config file.. Why
do you think it's so much better to disconnect immediately? Do clients
then give good error messages if that happens?
The main reason is that I thought it would be better to drop an
unwanted connection as soon as possible...
Clients should receive errors like "certificate revoked", but I'll try
generating some errors and see what really happens...
One possibility would be to send also the ssl_require_valid_client_cert
setting to the login process, and disconnect immediately if that's yes.
One problem with that is however that it's possible to have multiple
auth blocks with different ssl_require_valid_client_cert values, so the
code would have to check that all of them have it.
Another option is to leave it the way it is, and place a small comment
in the sourcecode (or Wiki) which explains the other behaviour. ;-)
--
groeten,
HenkJan Wolthuis