Steve Parkinson wrote:
> Nelson B wrote:
>> Steve Parkinson wrote:
>>
>>> To verify this, you might want to turn on SSL Tracing. Use a debug build
>>> of NSS, and then run with the env variable SSLTRACE set to, say 100. It
>>> will spit out tons of debug info - search for the string
>>> 'Request-Certificate', which indicates the server is asking for the
>>> client's certificate.
>>
>> I think a much simpler initial step is to use ssltap to capture the
>> connections and their SSL handshakes. Most of the time that will show
>> an obvious problem with the request coming from the server. In the case
>> where it seems the server did well, and the mystery is why the client
>> didn't respond to it, then it may be time to try SSLTRACE. But that's
>> not the first tool I'd use.
>
> My reasoning was that if the server WAS sending the Request-Certificate
> message, that might be encrypted, and thus not visible to ssltap, so
> Mike might wrongly conclude that the server was misconfigured.
>
> Its certainly good to be familiar with all these methods for debugging.
Steve, you wrote ssltap and are recommending SSLTRACE.
I wrote SSLTRACE and am recommending ssltap.
Seems ironic, somehow. :-)
--
Nelson B
_______________________________________________
dev-tech-crypto mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-tech-crypto
