[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl] Hw to do client authentication only?

To: <fadushin@syr.edu>, "Eduardo Saltelli" <esaltelli@webmethods.com>
Subject: AW: [iaik-ssl] Hw to do client authentication only?
From: "Peter Lipp" <Peter.Lipp@iaik.at>
Date: Thu, 7 Sep 2000 12:48:57 +0200
Cc: "Polar Humenn" <polar@adiron.com>, "Gerald Brose" <brose@inf.fu-berlin.de>, <iaik-ssl@iaik.tu-graz.ac.at>
Importance: Normal
In-Reply-To: <Pine.SOL.4.10.10009061030510.3333-100000@apollo.ecs.syr.edu>
Sender: iaik-ssl-owner@iaik.tu-graz.ac.at

> > Take a look at the iaik.security.ssl.ServerTrustDecider.  This is called
> > whenever a new session is established on your server.  If the
> client has not
> > presented a certificate chain or the chain is not trusted, return false.
> > The end result: the client is forced to authenticate itself.
>
> This is not a part of the SSL standard.  That is what is at issue here.

This is not true.

See page 43 of RFC 2246:

This message is only sent if the server requests a certificate. If no
suitable certificate is available, the client should send a certificate
message containing no certificates. If client authentication is required by
the server for the handshake to continue, it may respond with a fatal
handshake failure alert.

Besides this, if you intend to improve SSL/TLS, there is a mailinglist of
the TLS-WG which would be a more appropriate place to go to.

Peter
______________________________________
Dr. Peter Lipp
IAIK, TU Graz
Inffeldgasse 16a, A-8010 Graz, Austria
Tel: +43 316 873 5513
Fax: +43 316 873 5520
Web: www.iaik.at

smime.p7s

References:
- RE: [iaik-ssl] Hw to do client authentication only?
  - From: Fred Dushin <fadushin@syr.edu>

Prev by Date: [iaik-ssl] SealedObject????????????
Next by Date: Re: [iaik-ssl] How to do client authentication only?
Prev by thread: RE: [iaik-ssl] Hw to do client authentication only?
Next by thread: Re: [iaik-ssl] Hw to do client authentication only?
Index(es):
- Date
- Thread