[openssl-users] 'No client certificate CA names sent'

Viktor Dukhovni openssl-users at dukhovni.org
Sun Jan 29 17:36:27 UTC 2017

> On Jan 29, 2017, at 11:34 AM, russellbell at gmail.com wrote:
> What does this message mean?  That I failed to send a client
> certificate CA name?  That I failed to receive one?  I run
>  $ openssl s_client -certform gmail.pem -key gmail.key \
>      -CAfile cacert.pem -debug -verify 10 -connect smtp.gmail.com:465
> I don't see the an argument to send a client certificate CA name in
> s_client's man page.

The list of "client certificate CA names" is optionally sent by servers when
requesting client certificates.   It is normal for no such list to be sent,
and it is often wise to send an empty list when requesting client certificates.
All this is controlled on the server side.


More information about the openssl-users mailing list