[openssl-users] Client CA list sending is also in TLS < 1.3 (RFC6066)

Jakob Bohm jb-openssl at wisemo.com
Mon Nov 26 16:33:54 UTC 2018


The ability of a TLS client to optionally send a list of trusted
CAs to the TLS server is not new in TLS 1.3.

In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.

So I would suggest that any OpenSSL API to control that feature in
TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
separated from the APIs that control the TLS server sending a list
of client certificate CAs to clients.

This aspect was somehow missed in a recent discussion of this TLS 1.3
behavior (which I cannot find right now).


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list