On Mon, 13 Dec 2004, Didier Conchaudron wrote:
I was wondering why the directive auth-user-pass-verify is executed when
the peer connection is still untrusted? (like it's written in the man page)
That's not completely true. The auth-user-pass-verify script is only
executed on the username/password of an untrusted peer if you are not
using certificate verification as well, i.e. if you have the
--client-cert-not-required flag set.
If you are using double authentication, i.e. certificates AND
--auth-user-pass-verify, then the certificate verification and optional
--tls-verify script will be run before the --auth-user-pass-verify script.
So when using certificates, you can be assured that the certificate
verification has succeeded before the --auth-user-pass-verify script
and/or plugin is run.