[openssl-dev] Client Certificate sent though SSL client is configured with NO authentication
Viktor Dukhovni
openssl-users at dukhovni.org
Sat Jan 3 17:13:07 UTC 2015
On Sat, Jan 03, 2015 at 06:44:28AM +0000, Satish.KumarYarru at cognizant.com wrote:
> I have configured my SSL client with VERIFY_NONE.
Which allows connections to complete even when the server's
certificate is unverified or not present (if aNULL ciphers are not
excluded on both ends). This has little effect on the use of client
certificates.
> But when I perform handshake with SSL Server that is configured with "Dual
> Authentication", Client is still sending Client Certificate for the
> Certificate Request sent by client.
As expected. If you don't want to configured client certificates, create
the SSL handle via SSL_CTX context handle which has not been configured
with a certificate/private-key pair via:
SSL_CTX_use_certificate_chain_file()
SSL_CTX_use_PrivateKey_file()
or similar.
> But ideally client should not send certificate as the SSL client is
> configured with NO Authentication.
No the client is configured to ignore PKIX authentication errors
in verifying the server, the converse is not implied, especially
since you've configured client certificates for some reason.
> When I debugged, I found client is sending the certificate because
> Client Certificate is NOT un-loaded in SSL context when client is
> configured with VERIFY_NONE.
Indeed, if you don't want to use client certificates, don't "load" the
key and certificate in the first place.
> OpenSSL is not providing any API to unload certificate from the SSL context.
> Can you please help me on how to address this issue?
Use an SSL_CTX in which you have NOT loaded any client certificates.
--
Viktor.
More information about the openssl-dev
mailing list