Supporting TLS client certificate in PHP?

[Omar Polo]

Omar Polo <op at omarpolo.com> writes:

> Côme Chilliet <come at chilliet.eu> writes:
>> [snip]
>> However, even if I was implementing this in C it is not clear to me how to request a client certificate without making it mandatory, is that what SSL_VERIFY_CLIENT_ONCE is for?
>> Are there Gemini servers in C with client certificate support of which I could read the code out there?
>>
>> Côme
>
> I've written my server[0] using LibreSSL (a fork of OpenSSL) and it
> supports client certs.  The code is quite short (a bit more than 1k
> lines) but the key points for your question are these two lines[1]:
>
> 	/* optionally accept client certs, but don't try to verify them */
> 	tls_config_verify_client_optional(conf);
> 	tls_config_insecure_noverifycert(conf);
>
> you need to enable optionally the client certs and the tell the library
> to not verify the certs.
>
> I don't know how to help you in PHP, but I hope this can help a bit :)
>
> [0]: https://github.com/omar-polo/gmid
> [1]: https://github.com/omar-polo/gmid/blob/master/gmid.c#L1076-L1078

I forgot to address a point

> I’m not sure if you can change the context once a connection is accepted, if yes maybe you can attempt stream_socket_enable_crypto once with verify_peer and if it fails run it again without it, but it feels non-optimized.

I don't think you can do this.  Once a connection is established, the
certificates have already been checked, so you need to act before.

and I also forgot to mention that I'm not using directly the libressl
api, but I'm using instead libtls (a wrapper with nicer APIs)