[openssl-users] Client CA list sending is also in TLS < 1.3 (RFC6066)
Viktor Dukhovni
openssl-users at dukhovni.org
Mon Nov 26 19:04:11 UTC 2018
> On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users <openssl-users at openssl.org> wrote:
>
> In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
> defined in RFC6066 Chapter 6.
>
> So I would suggest that any OpenSSL API to control that feature in
> TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
> separated from the APIs that control the TLS server sending a list
> of client certificate CAs to clients.
>
> This aspect was somehow missed in a recent discussion of this TLS 1.3
> behavior (which I cannot find right now).
Thanks for the update. I guess OpenSSL never implemented RFC6066.
I am not sure that support this in TLS 1.2 is worth adding, but you
have a valid of principle. If it were added, it should use the same
API that supports the equivalent feature in TLS 1.3 in OpenSSL 1.1.1a.
--
Viktor.
More information about the openssl-users
mailing list