RE: TLSv12 Client Certificate Selection Behavior !!

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of
> Jakob Bohm via openssl-users
> Sent: Tuesday, June 11, 2019 08:19
>
> On 11/06/2019 12:50, Hareesh D wrote:
> >
> > Is this behavior valid and according to RFC ?
>
> There's an overarching OpenSSL policy that certificate checks are
> done exclusively by the relying end (for client certs, that's the
> server), except when certified end is trying to choose from
> multiple certificates.
>
> Thus with only one certificate available, the OpenSSL sends the
> (untrusted, and in this case inappropriate) certificate, just in
> case the server was somehow configured to make a special exception
> for this particular case.

Yes. I for one would argue this existing behavior (i.e. not enforcing every mandate of every applicable standard, at every step of the way) is the Right Thing to do. While it's good that OpenSSL is increasingly providing functionality to make it easier for applications to follow the RFCs and other standards, it's also very important that applications have the flexibility to violate some aspects of those standards. That is critical for interoperability with non-standard peers, as Jakob wrote, and for testing, among other things.

--
Michael Wojcik
Distinguished Engineer, Micro Focus







[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux