You can clone with
If a client provides no certificate in the TLS negociation ssl_verify_peer(cert) is not called (as such method is called for each certificate provided by the client).
Let's say I want to deny a connection if the client provides an invalid certificate, but also if the client provides no certificate.
How to handle this last case? A workaround would be using cert=get_peer_cert() in ssl_handshake_completed() method and deny the connection if cert is nil.
However, I suggest than when the EM server runs start_tls with :verify_peer => true, the ssl_verify_peer(cert) is also called even if the client no provides a certificate. In this case, the method would be called with nil as argument. In this way the server realizes that no certificate is provided so can reject the connection.
:verify_peer => true
Another solution could be a new callback no_peer_ssl() which is invoked in case no certificate is provided by client. Honestly I prefer the solution above (simpler IMHO).
Hi, any comment about this proposal? does it seem useful/feasible?
We could just set the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag if :verify_peer is true, but it would really be nice to get that to call ssl_verify_peer... I'll try to find a way to make it do that.