On Thu, Sep 01, 2022 at 09:36:36PM +0000, Wall, Stephen wrote:
> Does OpenSSL 3.0 provide a way for client side software to verify that
> the server actually sent a request for the client’s certificate?
It is not clear what threat model warrants taking special action when
the client certificate is not requested. It could equally be requested
and then largely ignored.
Note that if resumption takes place the handshake might even happen
without presenting the server certificate to the client.
--
Viktor.
