[openssl-users] Client CA list sending is also in TLS < 1.3 (RFC6066)
Jakob Bohm
jb-openssl at wisemo.com
Mon Nov 26 19:15:31 UTC 2018
On 26/11/2018 20:04, Viktor Dukhovni wrote:
>> On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users <openssl-users at openssl.org> wrote:
>>
>> In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
>> defined in RFC6066 Chapter 6.
>>
>> So I would suggest that any OpenSSL API to control that feature in
>> TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
>> separated from the APIs that control the TLS server sending a list
>> of client certificate CAs to clients.
>>
>> This aspect was somehow missed in a recent discussion of this TLS 1.3
>> behavior (which I cannot find right now).
> Thanks for the update. I guess OpenSSL never implemented RFC6066.
> I am not sure that support this in TLS 1.2 is worth adding, but you
> have a valid of principle. If it were added, it should use the same
> API that supports the equivalent feature in TLS 1.3 in OpenSSL 1.1.1a.
>
Just to clarify: RFC6066 is the main RFC for basic TLS extensions,
with chapters defining such things as SNI, and OCSP stapling.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
More information about the openssl-users
mailing list