[openssl-users] sendmail, openssl 1.1.1, tls1.3

Claus Assmann ca+ssl-users at esmtp.org
Wed Nov 14 02:45:42 UTC 2018

On Mon, Oct 15, 2018, Viktor Dukhovni wrote:

> With TLS 1.3, you suddenly have clients optionally soliciting certificates
> by specific CA from servers [[...]]

> With 149 certs, and typical CA names O(80) bytes, we're looking at
> ~12KB of cert names, which should fit into an extension that can be
> up to 64KB in size.  So overflowing the extension size limit would

I'm a bit confused why this happens -- the OpenSSL documentation
    SSL_CTX_set_client_CA_list() sets the list of CAs sent to the client
    when requesting a client certificate for ctx. Ownership of list is

Does SSL_CTX_set_client_CA_list() also set the list of CAs sent by
the client (a brief look at the source code seems to confirm that,
but I don't understand the code well enough)? Or what other function
sets that list? sendmail does not use SSL_CTX_set0_CA_list().

More information about the openssl-users mailing list