[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

Charles Mills charlesm at mcn.org
Mon Dec 3 01:14:44 UTC 2018

Do I need to say no calls to SSL_CTX_set_client_CA_list() nor any of the
three related functions listed on the man page?




From: Charles Mills [mailto:charlesm at mcn.org] 
Sent: Sunday, December 2, 2018 4:38 PM
To: 'openssl-users at openssl.org'
Subject: Question on necessity of SSL_CTX_set_client_CA_list


I have an OpenSSL (v1.1.0f) server application that processes client


The doc for SSL_CTX_load_verify_locations() states "In server mode, when
requesting a client certificate, the server must send the list of CAs of
which it will accept client certificates. This list is not influenced by the
contents of CAfile or CApath and must explicitly be set using the
SSL_CTX_set_client_CA_list family of functions."


The application makes no calls to SSL_CTX_set_client_CA_list() yet receives
client certificates without errors.


Can someone please explain the discrepancy. I'm especially wondering if I
have set a trap that will spring down the road: "yes it works, but if a user
does X then it will not work."






-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20181202/b225e0f2/attachment.html>

More information about the openssl-users mailing list