ssl_verify_peer() when the client provides no cert (proposal)

[ibc]

If a client provides no certificate in the TLS negociation ssl_verify_peer(cert) is not called (as such method is called for each certificate provided by the client).

Let's say I want to deny a connection if the client provides an invalid certificate, but also if the client provides no certificate.
How to handle this last case? A workaround would be using cert=get_peer_cert() in ssl_handshake_completed() method and deny the connection if cert is nil.

However, I suggest than when the EM server runs start_tls with :verify_peer => true, the ssl_verify_peer(cert) is also called even if the client no provides a certificate. In this case, the method would be called with nil as argument. In this way the server realizes that no certificate is provided so can reject the connection.

Another solution could be a new callback no_peer_ssl() which is invoked in case no certificate is provided by client. Honestly I prefer the solution above (simpler IMHO).

[ibc]

Hi, any comment about this proposal? does it seem useful/feasible?

[burke]

We could just set the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag if :verify_peer is true, but it would really be nice to get that to call ssl_verify_peer... I'll try to find a way to make it do that.