SSL_set_client_CA_list(ssl, NULL) problem?

Benjamin Kaduk bkaduk at akamai.com
Fri Jan 3 19:48:49 UTC 2020


Sorry for the very late response...

On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote:
> Seems it is impossible to override the list with NULL for SSL, as
> the code will then use the list from CTX (if my limited understanding
> of the code is correct):
> 
> STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
> {
> ...
>         if (s->client_CA != NULL)
>             return (s->client_CA);
>         else
>             return (s->ctx->client_CA);
> 
> Is this intentional? The man pages says:

Yes.

> SSL_set_client_CA_list() sets the list of CAs sent to the client when
> requesting a client certificate for the chosen ssl, overriding the
> setting valid for ssl's SSL_CTX object.
> 
> 
> IMHO there should be some indication (flag) that the value from SSL
> should be used (to distinguish between the ways NULL is used: "this
> is NULL because of the initialization" and "this is explicitly set
> to NULL").

You should be able to set a "zero-length list" (which is a non-NULL pointer
value) in order to get your desired behavior.

-Ben


More information about the openssl-users mailing list