Re: Server re-negotiate to request client certificate
- From: "Alun Jones" <alun@xxxxxxxxxxxxx>
- Date: Fri, 2 Nov 2007 08:55:14 -0700
"Michelle Lai [MSFT]" <MichelleLaiMSFT@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
How can I implement a server application to re-negotiate with the client
get a client certificate (after a successful handshake)?
Generally, the strategy should be to request a client certificate in the
ServerHello, by specifying ASC_REQ_MUTUAL_AUTH when you call
AcceptSecurityContext, and deal with an empty or absent list of certificates
if you're going to allow unauthenticated clients to connect as well as
However, if you've set your heart on renegotiating, you should follow the
general instructions in
http://msdn2.microsoft.com/en-us/library/aa379413.aspx - call
AcceptSecurityContext with a modified fContextReq parameter (with
ASC_REQ_MUTUAL_AUTH ored in).
Bear in mind that many client apps will not have code to detect the
renegotiation, and as a result, they will treat your request as an error in
the SSL communication; the same is probably true, of course, of requesting
client certificates at the start of the communication.
- Prev by Date: Re: how to resume TLS session with SCHANNEL
- Next by Date: Re: Decryption of close_notify alert returns SEC_E_MESSAGE_ALTERED
- Previous by thread: Re: SEC_WINNT_AUTH_IDENTITY_EX domain member question
- Next by thread: Re: Decryption of close_notify alert returns SEC_E_MESSAGE_ALTERED