SSL_set_client_CA_list(ssl, NULL) problem?

Claus Assmann ca+ssl-users at
Thu Jan 9 05:52:05 UTC 2020

On Fri, Jan 03, 2020, Benjamin Kaduk via openssl-users wrote:

> On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote:
> > Seems it is impossible to override the list with NULL for SSL, as
> > the code will then use the list from CTX (if my limited understanding

> > Is this intentional? The man pages says:

> Yes.

Then it would be nice to document this in the man page by adding some
text based on this:

> You should be able to set a "zero-length list" (which is a non-NULL pointer
> value) in order to get your desired behavior.

to it, e.g.,

SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the
setting valid for ssl's SSL_CTX object. Note: to clear the CA list
an empty stack must be passed as argument (not NULL), e.g.,
  STACK_OF(X509_NAME) *certs;
  certs = sk_X509_NAME_new_null();
  /* handle NULL result */
  SSL_CTX_set_client_CA_list(ssl, certs ;

I did a brief test and it seems to work, thanks!

More information about the openssl-users mailing list