From 197322455d61829572d1792da03e4d0750d5638a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lutz=20J=C3=A4nicke?= Date: Tue, 17 Apr 2001 13:18:56 +0000 Subject: [PATCH] Clarify request of client certificates. This is a FAQ. --- FAQ | 8 ++++++++ doc/ssl/SSL_get_peer_certificate.pod | 9 ++++++++- 2 files changed, 16 insertions(+), 1 deletion(-) diff --git a/FAQ b/FAQ index e9cc698100..019c016beb 100644 --- a/FAQ +++ b/FAQ @@ -47,6 +47,7 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * Why can't the OpenSSH configure script detect OpenSSL? * Can I use OpenSSL's SSL library with non-blocking I/O? +* Why doesn't my server application receive a client certificate? =============================================================================== @@ -519,5 +520,12 @@ requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. +* Why doesn't my server application receive a client certificate? + +Due to the TLS protocol definition, a client will only send a certificate, +if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the +SSL_CTX_set_verify() function to enable the use of client certificates. + + =============================================================================== diff --git a/doc/ssl/SSL_get_peer_certificate.pod b/doc/ssl/SSL_get_peer_certificate.pod index 1102c7fba9..18d1db5183 100644 --- a/doc/ssl/SSL_get_peer_certificate.pod +++ b/doc/ssl/SSL_get_peer_certificate.pod @@ -17,6 +17,12 @@ peer presented. If the peer did not present a certificate, NULL is returned. =head1 NOTES +Due to the protocol definition, a TLS/SSL server will always send a +certificate, if present. A client will only send a certificate when +explicitely requested to do so by the server (see +L). If an anonymous cipher +is used, no certificates are sent. + That a certificate is returned does not indicate information about the verification state, use L to check the verification state. @@ -43,6 +49,7 @@ The return value points to the certificate presented by the peer. =head1 SEE ALSO -L, L +L, L, +L =cut -- GitLab