XP is just a number | |
PerlMonks |
Re^3: Make IO::Socket:SSL refuse connections without client certificateby noxxi (Pilgrim) |
on Oct 13, 2016 at 06:22 UTC ( [id://1173900]=note: print w/replies, xml ) | Need Help?? |
> SSL_verify_mode => SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, I cannot reproduce the problem in this case. The server reliably fails with the handshake in this case and no output can be seen at the wget client. As for the cases w/o SSL_VERIFY_PEER: in this case no client certificate will be requested and thus no certificate checked, i.e. SSL_VERIFY_FAIL_IF_NO_PEER_CERT without SSL_VERIFY_PEER will be ignored. See also SSL_CTX_set_verify where it explicitly states that SSL_VERIFY_FAIL_IF_NO_PEER_CERT must be used with SSL_VERIFY_PEER. And note that the documentation of IO::Socket::SSL explicitly refers to the documentation of SSL_CTX_set_verify for how to use these flags. > All three of these variants allow authentication via certificate ... This cannot be reproduced either. If SSL_VERIFY_PEER is not then set the server will not send a CertificateRequest inside the TLS handshake which means that the client will not send a certificate even if it has one.
In Section
Seekers of Perl Wisdom
|
|