[openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

[Charles Mills]

Got it. Thanks. I would think the basic client case is "one certificate, one CA" so I think I will roll with what we have (especially since the product has been out there for years with no reported problems in this area -- although I think client certificate usage is rare) but keep the issue in mind if a problem comes up.

Charles


-----Original Message-----
From: openssl-users [mailto:openssl-users-bounces at openssl.org] On Behalf Of Viktor Dukhovni
Sent: Sunday, December 2, 2018 5:50 PM
To: openssl-users at openssl.org
Subject: Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list

> On Dec 2, 2018, at 7:38 PM, Charles Mills <charlesm at mcn.org> wrote:
> 
> I have an OpenSSL (v1.1.0f) server application that processes client certificates.
>  
> The doc for SSL_CTX_load_verify_locations() states “In server mode, when requesting a client certificate, the server must send the list of CAs of which it will accept client certificates. This list is not influenced by the contents of CAfile or CApath and must explicitly be set using the SSL_CTX_set_client_CA_list family of functions.”
>  
> The application makes no calls to SSL_CTX_set_client_CA_list() yet receives client certificates without errors.
>  
> Can someone please explain the discrepancy. I’m especially wondering if I have set a trap that will spring down the road: “yes it works, but if a user does X then it will not work.”

The default list is empty.  Some client implementations, IIRC Java's TLS
stack or at least some Java TLS toolkits, will not use a client certificate
unless the server's list is non-empty, and perhaps may also require that it
include a CA name that matches an issuer of their certificate.

Other clients have but one default certificate and use it regardless of the
server's CA list.  Your mileage may vary.

-- 
	Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users