[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Charles Mills charlesm at mcn.org
Mon Dec 3 20:45:19 UTC 2018


Those darned customers are asking for it!

I do understand the privacy exposure. Don't know if the customers do or do
not.

Charles


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of
Viktor Dukhovni
Sent: Monday, December 3, 2018 12:40 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Question on necessity of
SSL_CTX_set_client_CA_list

> On Dec 3, 2018, at 3:35 PM, Charles Mills <charlesm at mcn.org> wrote:
> 
> OCSP and OCSP stapling are currently higher on my wish list than this.

Good luck with OCSP, the documentation could definitely be better, and
various projects get it wrong.  IIRC curl gets OCSP right, so you
could look there for example code, some other projects go through the
motions, but don't always achieve a robust result.

[ FWIW, I don't care much for OCSP, it's often not required, so it is
  then not clear what security properties it provides. ]



More information about the openssl-users mailing list