On Fri, Mar 08, 2024 at 03:50:31PM +0000, Wall, Stephen wrote:
> > From: openssl-users <openssl-users-bounces@xxxxxxxxxxx> On Behalf Of Jason Qian via openssl-users
> > Subject: Need help - Client Authentication
> >
> > My question is regarding "SSL_CTX_set_default_passwd_cb_userdata".
> > Do I need to set the password? I tried with/without the call and all seemed to work fine.
>
> "SSL_CTX_set_default_passwd_cb_userdata()" is only useful is you are
> also calling "SSL_CTX_set_default_passwd_cb()" to set your own
> callback function, which I don't see in your posted code.
Correct.
> So, no. The callback would be used when the client certificate is
> encrypted and needs a password.
No. The client certificate (received from the remote client as part of
the TLS handshake) is never encrypted with a password (in TLS 1.3 the
enclosing TLS record will be encrypted with a key derived from the
exchanged key share messages).
In the OP's case, the password callbck is only needed if the server's
private key is password-protected, which is pointless in unattended
server applications, because the password will be stored along with the
private key.
--
Viktor.
