SSL_set_client_CA_list(ssl, NULL) problem?
Claus Assmann
ca+ssl-users at esmtp.org
Sun Nov 24 11:05:34 UTC 2019
Seems it is impossible to override the list with NULL for SSL, as
the code will then use the list from CTX (if my limited understanding
of the code is correct):
STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
...
if (s->client_CA != NULL)
return (s->client_CA);
else
return (s->ctx->client_CA);
Is this intentional? The man pages says:
SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the
setting valid for ssl's SSL_CTX object.
IMHO there should be some indication (flag) that the value from SSL
should be used (to distinguish between the ways NULL is used: "this
is NULL because of the initialization" and "this is explicitly set
to NULL").
More information about the openssl-users
mailing list