[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

AW: [iaik-ssl] Hw to do client authentication only?

> > Take a look at the iaik.security.ssl.ServerTrustDecider.  This is called
> > whenever a new session is established on your server.  If the
> client has not
> > presented a certificate chain or the chain is not trusted, return false.
> > The end result: the client is forced to authenticate itself.
> This is not a part of the SSL standard.  That is what is at issue here.

This is not true.

See page 43 of RFC 2246:

This message is only sent if the server requests a certificate. If no
suitable certificate is available, the client should send a certificate
message containing no certificates. If client authentication is required by
the server for the handshake to continue, it may respond with a fatal
handshake failure alert.

Besides this, if you intend to improve SSL/TLS, there is a mailinglist of
the TLS-WG which would be a more appropriate place to go to.

Dr. Peter Lipp
Inffeldgasse 16a, A-8010 Graz, Austria
Tel: +43 316 873 5513
Fax: +43 316 873 5520
Web: www.iaik.at