[openssl-users] sendmail, openssl 1.1.1, tls1.3
Claus Assmann
ca+ssl-users at esmtp.org
Wed Nov 14 02:45:42 UTC 2018
On Mon, Oct 15, 2018, Viktor Dukhovni wrote:
> With TLS 1.3, you suddenly have clients optionally soliciting certificates
> by specific CA from servers [[...]]
> With 149 certs, and typical CA names O(80) bytes, we're looking at
> ~12KB of cert names, which should fit into an extension that can be
> up to 64KB in size. So overflowing the extension size limit would
I'm a bit confused why this happens -- the OpenSSL documentation
states:
------------------------------------------------------------
SSL_CTX_set_client_CA_list() sets the list of CAs sent to the client
when requesting a client certificate for ctx. Ownership of list is
...
------------------------------------------------------------
Does SSL_CTX_set_client_CA_list() also set the list of CAs sent by
the client (a brief look at the source code seems to confirm that,
but I don't understand the code well enough)? Or what other function
sets that list? sendmail does not use SSL_CTX_set0_CA_list().
More information about the openssl-users
mailing list