Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re^3: Make IO::Socket:SSL refuse connections without client certificate

by noxxi (Pilgrim)
on Oct 13, 2016 at 06:22 UTC ( [id://1173900]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Make IO::Socket:SSL refuse connections without client certificate
in thread [SOLVED] Make IO::Socket:SSL refuse connections without client certificate

> SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

I cannot reproduce the problem in this case. The server reliably fails with the handshake in this case and no output can be seen at the wget client.

As for the cases w/o SSL_VERIFY_PEER: in this case no client certificate will be requested and thus no certificate checked, i.e. SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_VERIFY_PEER will be ignored. See also SSL_CTX_set_verify where it explicitly states that SSL_VERIFY_FAIL_IF_NO_PEER_CERT must be used with SSL_VERIFY_PEER. And note that the documentation of IO::Socket::SSL explicitly refers to the documentation of SSL_CTX_set_verify for how to use these flags.

> All three of these variants allow authentication via certificate ...

This cannot be reproduced either. If SSL_VERIFY_PEER is not then set the server will not send a CertificateRequest inside the TLS handshake which means that the client will not send a certificate even if it has one.

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1173900]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others imbibing at the Monastery: (6)
As of 2024-03-28 10:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found