How to reject a certificate with access_denied?

Christian Schmidt schmidt at digadd.de
Mon Jun 6 17:08:00 UTC 2022


Hi,

I am building a server application that allows a user to log in by
providing a certificate. In order to do custom checks, I have added a
verify callback to my code to check the certificate on top of its
cryptographic features (CA Valid, etc).

If the certificate does not pass my extended checks, I would like to
return the access_denied alert as per RFC8446 section 6.2:

access_denied:  A valid certificate or PSK was received, but when
   access control was applied, the sender decided not to proceed with
   negotiation.

However, I can't find a way to generate this alert in openssl, although
openssl can handle receiving it.

How do I make a callback return a non-defined (as in not defined in the
headers) alert?

Best regards,
Christian


More information about the openssl-users mailing list