You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If a client provides no certificate in the TLS negociation ssl_verify_peer(cert) is not called (as such method is called for each certificate provided by the client).
Let's say I want to deny a connection if the client provides an invalid certificate, but also if the client provides no certificate.
How to handle this last case? A workaround would be using cert=get_peer_cert() in ssl_handshake_completed() method and deny the connection if cert is nil.
However, I suggest than when the EM server runs start_tls with :verify_peer => true, the ssl_verify_peer(cert) is also called even if the client no provides a certificate. In this case, the method would be called with nil as argument. In this way the server realizes that no certificate is provided so can reject the connection.
Another solution could be a new callback no_peer_ssl() which is invoked in case no certificate is provided by client. Honestly I prefer the solution above (simpler IMHO).
The text was updated successfully, but these errors were encountered:
We could just set the SSL_VERIFY_FAIL_IF_NO_PEER_CERT flag if :verify_peer is true, but it would really be nice to get that to call ssl_verify_peer... I'll try to find a way to make it do that.
If a client provides no certificate in the TLS negociation
ssl_verify_peer(cert)
is not called (as such method is called for each certificate provided by the client).Let's say I want to deny a connection if the client provides an invalid certificate, but also if the client provides no certificate.
How to handle this last case? A workaround would be using
cert=get_peer_cert()
inssl_handshake_completed()
method and deny the connection ifcert
is nil.However, I suggest than when the EM server runs
start_tls
with:verify_peer => true
, thessl_verify_peer(cert)
is also called even if the client no provides a certificate. In this case, the method would be called withnil
as argument. In this way the server realizes that no certificate is provided so can reject the connection.Another solution could be a new callback
no_peer_ssl()
which is invoked in case no certificate is provided by client. Honestly I prefer the solution above (simpler IMHO).The text was updated successfully, but these errors were encountered: