[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-ssl] Hw to do client authentication only?



> Whlie it is true that the SSL protocol itself cannot force the client to
> authenticate itself, you can augment the handshaking phase to effectively
> force the client to authenticate itself.
> 
> Take a look at the iaik.security.ssl.ServerTrustDecider.  This is called
> whenever a new session is established on your server.  If the client has not
> presented a certificate chain or the chain is not trusted, return false.
> The end result: the client is forced to authenticate itself.

This is not a part of the SSL standard.  That is what is at issue here.

Fred Dushin

--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl