Hello Peter,

Peter Sylvester wrote:
>>The client sends only his own certificate.
>>
>>This is in the SSL/TLS1 protocol:
>>
>>the server sends a list of CA DNs he trusts for client authentication.
>>If the client certificate was issued by one of these CAs,
>>the client send his own certificate.
>
> Unless I misread the text, this is not in the TLS protocol.
> Section 7.4.2 of RFC 2246 defines the structure as a (truncated)
> chain up to some 'root' (which can be omitted). The section is the
> description for the server certificate message but it
> is taken as is in the description of the client certificate.

Sometimes it is better to have a look at what you are talking about... :-(

I was wrong.
SSL3 / TLS1 allows the client to send a certificate chain in
client verify.
And curl sets the chain.

But are we really sure SSL3 / TLS is used ?

Looking at the source it seems that SSL2 only
sends the client cert (without chain).

So if SSL2 is used...

Bye

Goetz

-- 
Goetz Babin-Ebell, TC TrustCenter AG, http://www.trustcenter.de
Sonninstr. 24-28, 20097 Hamburg, Germany
Tel.: +49-(0)40 80 80 26 -0,  Fax: +49-(0)40 80 80 26 -126

-------------------------------------------------------
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn