[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

[Viktor Dukhovni]

> On Dec 2, 2018, at 7:38 PM, Charles Mills <charlesm at mcn.org> wrote:
> 
> I have an OpenSSL (v1.1.0f) server application that processes client certificates.
>  
> The doc for SSL_CTX_load_verify_locations() states “In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list family of functions.”
>  
> The application makes no calls to SSL_CTX_set_client_CA_list() yet receives client certificates without errors.
>  
> Can someone please explain the discrepancy. I’m especially wondering if I have set a trap that will spring down the road: “yes it works, but if a user does X then it will not work.”

The default list is empty.  Some client implementations, IIRC Java's TLS
stack or at least some Java TLS toolkits, will not use a client certificate
unless the server's list is non-empty, and perhaps may also require that it
include a CA name that matches an issuer of their certificate.

Other clients have but one default certificate and use it regardless of the
server's CA list.  Your mileage may vary.

-- 
	Viktor.