Re: [TLS] NIST TLS recomendations

[pgut001@xxxxxxxxxxxxxxxxx (Peter Gutmann)]

Bodo Moeller <bmoeller@xxxxxxx> writes:

>In many situations, servers request client authentication via a certificate,
>but can tolerate unauthenticated clients as well.

Actually it's even more lopsided than that, in almost every case in which my
code's encountered a cert request from a public server (I put in a debug check
for this so I'd get feedback, see the footnote below), the server operator,
when contacted, didn't care about client authentication, and in many cases
both didn't know that their server was asking for client certs and had no idea
how to disable it when it was.  So silently failing/continuing is probably
essential to allow continued operation.

(My code originally bailed out with an error when a server requested a client
 cert and none was available, but I got lots of complaints that every other
 SSL implementation just continued without providing the cert, so the standard
 and expected behaviour seems to be to just carry on without client auth when
 the server asks for a cert).

Peter.


_______________________________________________
TLS mailing list
TLS@xxxxxxxxxxxxxx
https://www1.ietf.org/mailman/listinfo/tls