SSL_set_client_CA_list(ssl, NULL) problem?

Claus Assmann ca+ssl-users at
Sun Nov 24 11:05:34 UTC 2019

Seems it is impossible to override the list with NULL for SSL, as
the code will then use the list from CTX (if my limited understanding
of the code is correct):

STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
        if (s->client_CA != NULL)
            return (s->client_CA);
            return (s->ctx->client_CA);

Is this intentional? The man pages says:

SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the
setting valid for ssl's SSL_CTX object.

IMHO there should be some indication (flag) that the value from SSL
should be used (to distinguish between the ways NULL is used: "this
is NULL because of the initialization" and "this is explicitly set
to NULL").

More information about the openssl-users mailing list