Skip to main content

How do I configure mutual authentication?

Question: How do I configure either the NanoSSL client or NanoSSL server for mutual authentication?

Answer: Both the NanoSSL client and NanoSSL server must be built with the __ENABLE_MOCANA_SSL_MUTUAL_AUTH_SUPPORT__ flag. By default, mutual authentication is enabled for the NanoSSL server, however, may be explicitly controlled at runtime using the SSL_ioctl function to set the SSL_FLAG_REQUIRE_MUTUAL_AUTH flag.

If the NanoSSL client is built with mutual authentication, it processes the certificate request from the SSL server, and replies with a valid certificate based on the lookup in the certificate store. If no certificate is found in the certificate store, or if SSL_ioctl is used to set SSL_FLAG_NO_MUTUAL_AUTH_REPLY at runtime, the client replies with a zero length (null) certificate. For any specific requirement, if the NanoSSL client must enforce the runtime mutual authentication certificate request to be always required from the server, set SSL_FLAG_REQUIRE_MUTUAL_AUTH using an SSL_ioctl call, so if the client does not receive the certificate request the connection is closed.

When NanoSSL server sends a certificate request to the client, the remote client may respond with a valid certificate or empty certificate. In case of an empty certificate, the server invokes the registered funcPtrInvalidCertCallback application callback to determine whether to allow the connection to continue or terminate. When SSL_FLAG_REQUIRE_MUTUAL_AUTH is enabled, the NanoSSL server always expects a certificate response from the client (even though it may include an empty certificate).