[openssl-users] Client CA list sending is also in TLS < 1.3 (RFC6066)

Jakob Bohm jb-openssl at wisemo.com
Mon Nov 26 19:15:31 UTC 2018

On 26/11/2018 20:04, Viktor Dukhovni wrote:
>> On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users <openssl-users at openssl.org> wrote:
>> In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
>> defined in RFC6066 Chapter 6.
>> So I would suggest that any OpenSSL API to control that feature in
>> TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
>> separated from the APIs that control the TLS server sending a list
>> of client certificate CAs to clients.
>> This aspect was somehow missed in a recent discussion of this TLS 1.3
>> behavior (which I cannot find right now).
> Thanks for the update.  I guess OpenSSL never implemented RFC6066.
> I am not sure that support this in TLS 1.2 is worth adding, but you
> have a valid of principle.  If it were added, it should use the same
> API that supports the equivalent feature in TLS 1.3 in OpenSSL 1.1.1a.
Just to clarify: RFC6066 is the main RFC for basic TLS extensions,
with chapters defining such things as SNI, and OCSP stapling.


Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

More information about the openssl-users mailing list