enforcing mutual auth from the client

Viktor Dukhovni openssl-users at dukhovni.org
Thu Sep 1 21:51:59 UTC 2022


On Thu, Sep 01, 2022 at 09:36:36PM +0000, Wall, Stephen wrote:

> Does OpenSSL 3.0 provide a way for client side software to verify that
> the server actually sent a request for the client’s certificate?

It is not clear what threat model warrants taking special action when
the client certificate is not requested.  It could equally be requested
and then largely ignored.

Note that if resumption takes place the handshake might even happen
without presenting the server certificate to the client.

-- 
    Viktor.


More information about the openssl-users mailing list