SSL_set_client_CA_list(ssl, NULL) problem?
Benjamin Kaduk
bkaduk at akamai.com
Fri Jan 3 19:48:49 UTC 2020
Sorry for the very late response...
On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote:
> Seems it is impossible to override the list with NULL for SSL, as
> the code will then use the list from CTX (if my limited understanding
> of the code is correct):
>
> STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
> {
> ...
> if (s->client_CA != NULL)
> return (s->client_CA);
> else
> return (s->ctx->client_CA);
>
> Is this intentional? The man pages says:
Yes.
> SSL_set_client_CA_list() sets the list of CAs sent to the client when
> requesting a client certificate for the chosen ssl, overriding the
> setting valid for ssl's SSL_CTX object.
>
>
> IMHO there should be some indication (flag) that the value from SSL
> should be used (to distinguish between the ways NULL is used: "this
> is NULL because of the initialization" and "this is explicitly set
> to NULL").
You should be able to set a "zero-length list" (which is a non-NULL pointer
value) in order to get your desired behavior.
-Ben
More information about the openssl-users
mailing list