X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=FAQ;h=019c016bebcacdf6d3c36b37fb86117042d08a1d;hp=71c27a7b3b53e717a91ecf11c7e0c1ddb6c052af;hb=a679116f6fe24be5d2ddb16437ee86f77ac53947;hpb=a116afa42edd81b248c795787143aa4578fdd187 diff --git a/FAQ b/FAQ index 71c27a7b3b..019c016beb 100644 --- a/FAQ +++ b/FAQ @@ -47,6 +47,7 @@ OpenSSL - Frequently Asked Questions * Why do I get errors about unknown algorithms? * Why can't the OpenSSH configure script detect OpenSSL? * Can I use OpenSSL's SSL library with non-blocking I/O? +* Why doesn't my server application receive a client certificate? =============================================================================== @@ -169,18 +170,22 @@ application you are using. It is likely that it never worked correctly. OpenSSL 0.9.5 and later make the error visible by refusing to perform potentially insecure encryption. -On systems without /dev/urandom, it is a good idea to use the Entropy -Gathering Demon; see the RAND_egd() manpage for details. +On systems without /dev/urandom and /dev/random, it is a good idea to +use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for +details. Starting with version 0.9.7, OpenSSL will automatically look +for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and +/etc/entropy. Most components of the openssl command line tool try to use the file $HOME/.rnd (or $RANDFILE, if this environment variable is set) for seeding the PRNG. If this file does not exist or is too short, the "PRNG not seeded" error message may occur. - -[Note to OpenSSL 0.9.5 users: The command "openssl rsa" in version -0.9.5 does not do this and will fail on systems without /dev/urandom -when trying to password-encrypt an RSA key! This is a bug in the -library; try a later version instead.] +Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work. +Use the "-rand" option of the OpenSSL command line tools instead. +The $RANDFILE environment variable and $HOME/.rnd are only used by the +OpenSSL command line tools. Applications using the OpenSSL library +provide their own configuration options to specify the entropy source, +please check out the documentation coming the with application. For Solaris 2.6, Tim Nibbe and others have suggested installing the SUNski package from Sun patch 105710-01 (Sparc) which @@ -515,5 +520,12 @@ requiring a bi-directional message exchange; both SSL_read() and SSL_write() will try to continue any pending handshake. +* Why doesn't my server application receive a client certificate? + +Due to the TLS protocol definition, a client will only send a certificate, +if explicitely asked by the server. Use the SSL_VERIFY_PEER flag of the +SSL_CTX_set_verify() function to enable the use of client certificates. + + ===============================================================================