Skip to content
This repository

ssl_verify_peer() when the client provides no cert (proposal) #195

Open
ibc opened this Issue May 02, 2011 · 2 comments

2 participants

Iñaki Baz Castillo Burke Libbey
Iñaki Baz Castillo
ibc commented May 02, 2011

If a client provides no certificate in the TLS negociation ssl_verify_peer(cert) is not called (as such method is called for each certificate provided by the client).

Let's say I want to deny a connection if the client provides an invalid certificate, but also if the client provides no certificate.
How to handle this last case? A workaround would be using cert=get_peer_cert() in ssl_handshake_completed() method and deny the connection if cert is nil.

However, I suggest than when the EM server runs start_tls with :verify_peer => true, the ssl_verify_peer(cert) is also called even if the client no provides a certificate. In this case, the method would be called with nil as argument. In this way the server realizes that no certificate is provided so can reject the connection.

Another solution could be a new callback no_peer_ssl() which is invoked in case no certificate is provided by client. Honestly I prefer the solution above (simpler IMHO).

Iñaki Baz Castillo

Hi, any comment about this proposal? does it seem useful/feasible?

Burke Libbey
burke commented May 24, 2012

We could just set the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag if :verify_peer is true, but it would really be nice to get that to call ssl_verify_peer... I'll try to find a way to make it do that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.