On Sat, 9 Dec 2023 at 03:57, william@welliver.org wrote:
Hmm. Maybe I should polish the two scripts I was using, and then put them into the SSL module somewhere as examples. There are quite a few subtleties (like that you won't see client certs unless you set "ctx->auth_level = SSL.Constants.AUTHLEVEL_ask" on the server side) and I would really have appreciated an example like that.
There's a lot of black magic in TLS, and Client certificate handling is deceptively complicated, and there isn't really a one size fits all solution. A lot of clients (web browsers particularly) won't provide a certificate, even if they have one, unless the server auth level is set to require. In a situation where you plan to use the certificate for authentication, it's best to set the level to require, otherwise users may find themselves failing to authenticate despite having configured a certificate.
Bill
Yeah, "ask" or "require", else the client won't offer it. It makes sense, I guess, but definitely means it would be worth having at least one example somewhere for people to refer to. I'll see what I can do to add different use-cases and annotations to the script before inclusion.
One part that I'm still very iffy on is certificate authorities. For my own usage, I hard-coded the one authority that signed the certs I'm using, but for a proper example, I'll have to look into how authority checking is done for server certs and imitate that.
ChrisA