On Tue, Jul 21, 2015, Victor Wagner wrote: > On Tue, 21 Jul 2015 06:58:24 +0000 (UTC) > Anirudh Raghunath <anirudhraghunath at rocketmail.com> wrote: > > As far as I can understand, this function is designed to be called from > the client certificate callback, set with function > SSL_CTX_set_client_cert_cb. This callback gets pointer to SSL structure > (which should be passed to ENGINE_load_ssl_client_cert) and can use > SSL_get_client_CA_list to obtain list of CAs, which server would trust. > (SSL protocol allows to send this list to client). > It's intended to be called automatically when SSL_CTX_set_client_cert_engine sets up a "client authentication ENGINE". > So, you would pass to the ENGINE_load_ssl_client_certs > > 1. reference to engine to use > 2. pointer to SSL object of your client connection (don't know why it > might be needed), This is there so the ENGINE can query other properties of the connection which might decide which chain to use. For example the supported signature algorithms. > > Unfortunately, I do not know any engine which does all the things above. > I've looked into source of OpenSC pkcs11 engine version 0.1.8 and found > out that it doesn't support this function. > The CrytpoAPI ENGINE performs some of these tasks but so far it is the only one I'm aware of. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org
