> On Sep 3, 2019, at 11:27 AM, M K Saravanan <mksarav@xxxxxxxxx> wrote: > > Thanks Richard for the reply. Let me rephrase my question: > > If a client encounter any error condition (e.g. does not have access to the private key for whatever reason) in generating the signature, can it send zero bytes in the signature field of CertificateVerify message to indicate the error condition? Is this allowed in TLS 1.2 RFC? There is nothing special about an all zero or any other sequence of characters in the signature. A signature is either valid or not. A client that does not possess the private key for its certificate can decline the server's request for a client certificate, by sending a zero-length ClientCertificate and no ClientVerify. -- Viktor.
