[openssl-users] Client CA list sending is also in TLS < 1.3 (RFC6066)

Viktor Dukhovni openssl-users at dukhovni.org
Mon Nov 26 19:04:11 UTC 2018

> On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users <openssl-users at openssl.org> wrote:
> In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
> defined in RFC6066 Chapter 6.
> So I would suggest that any OpenSSL API to control that feature in
> TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
> separated from the APIs that control the TLS server sending a list
> of client certificate CAs to clients.
> This aspect was somehow missed in a recent discussion of this TLS 1.3
> behavior (which I cannot find right now).

Thanks for the update.  I guess OpenSSL never implemented RFC6066.
I am not sure that support this in TLS 1.2 is worth adding, but you
have a valid of principle.  If it were added, it should use the same
API that supports the equivalent feature in TLS 1.3 in OpenSSL 1.1.1a.


More information about the openssl-users mailing list