SSL_set_client_CA_list(ssl, NULL) problem?
Claus Assmann
ca+ssl-users at esmtp.org
Thu Jan 9 05:52:05 UTC 2020
On Fri, Jan 03, 2020, Benjamin Kaduk via openssl-users wrote:
> On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote:
> > Seems it is impossible to override the list with NULL for SSL, as
> > the code will then use the list from CTX (if my limited understanding
> > Is this intentional? The man pages says:
> Yes.
Then it would be nice to document this in the man page by adding some
text based on this:
> You should be able to set a "zero-length list" (which is a non-NULL pointer
> value) in order to get your desired behavior.
to it, e.g.,
SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the
setting valid for ssl's SSL_CTX object. Note: to clear the CA list
an empty stack must be passed as argument (not NULL), e.g.,
STACK_OF(X509_NAME) *certs;
certs = sk_X509_NAME_new_null();
/* handle NULL result */
SSL_CTX_set_client_CA_list(ssl, certs ;
I did a brief test and it seems to work, thanks!
More information about the openssl-users
mailing list