-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Supplemental changes for PR #1357 #1363
Conversation
Updating scope of constants, making variables final.
CK_TLS_NEED_CLIENT_AUTH, | ||
"TLS Need Client Auth", | ||
false, | ||
"TLS Need Client Auth") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be good to have a small description what "Need Client Auth" (and also "Want Client Auth") actually means.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also setting "need client auth" does not have any effect. I can still send with a client that has no client certificates configured. Only "want client auth" seems to make a difference. If it is checked, the connection fails if no client certs are configured.
Can someone explain why we need both? @gbu-censhare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From JavaDoc it comes like this:
setNeedClientAuth: Configures the engine to require client authentication. This option is only useful for engines in the server mode. An engine's client authentication setting is one of the following: client authentication required, client authentication requested no client authentication desired
setWantClientAuth: Configures the engine to request client authentication. This option is only useful for engines in the server mode. An engine's client authentication setting is one of the following: client authentication required, client authentication requested, no client authentication desired
so "want" asks if possible, "need" requires one from documentation, "want" is optional in my option, i added it for completeness.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay, the confusion is solved.
The "want" option accepts clients without any cert and clients with a valid cert. Clients with invalid certs are not accepted.
The "need" option only accepts clients with a valid certificate.
The code needs to be changed to only set one of the options because they overwrite each other. @joschi is currently working on that.
nice, thanks, for spotting my mistakes. to enable tcp compression, so if you're interessted i can create a pull request for this: |
LGTM and tested with several clients. 👍 |
Supplemental changes for PR #1357
Some supplemental changes to PR #1357 to speed up things due to the upcoming code freeze.