Re: Server re-negotiate to request client certificate



"Michelle Lai [MSFT]" <MichelleLaiMSFT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:72A09E54-8508-4547-97FD-5F7F3BC1E15A@xxxxxxxxxxxxxxxx
How can I implement a server application to re-negotiate with the client
to
get a client certificate (after a successful handshake)?


Hi Michelle,

Generally, the strategy should be to request a client certificate in the
ServerHello, by specifying ASC_REQ_MUTUAL_AUTH when you call
AcceptSecurityContext, and deal with an empty or absent list of certificates
if you're going to allow unauthenticated clients to connect as well as
authenticated ones.

However, if you've set your heart on renegotiating, you should follow the
general instructions in
http://msdn2.microsoft.com/en-us/library/aa379413.aspx - call
AcceptSecurityContext with a modified fContextReq parameter (with
ASC_REQ_MUTUAL_AUTH ored in).

Bear in mind that many client apps will not have code to detect the
renegotiation, and as a result, they will treat your request as an error in
the SSL communication; the same is probably true, of course, of requesting
client certificates at the start of the communication.

Alun.
~~~~


.