openssl-users at dukhovni.org
Fri Mar 27 23:38:52 UTC 2020
On Fri, Mar 27, 2020 at 10:10:16PM +0000, Jeremy Harris wrote:
> >> A simple code addition to avoid that call in the client case sounds
> >> in order.
> Testing, it appears to work - I get resumption and not that error.
> And the Exim testsuite shows no regressions, at least on my laptop
> (which is Fedora 31, with 1.1.1d).
On a Fedora 31 system I also don't see those directives in the system
openssl.cnf or includes. Mind you, closer inspection of the code
suggests that in the config file also "RequestCAPath" and "ClientCAPath"
would result in setting the bidirectional CA list. But I don't find
> >>> Another possibility is that your system-wide openssl.cnf file has a
> >>> "RequestCAFile" or "ClientCAFile" setting.
> >> Neither appears to be present in /etc/pki/tls/openssl.cnf
> > And neither has any ".include" directives?
So my best guess is that you were testing with approximately a stock
1.1.1 that predates 1.1.1a, modulo security fixes. Otherwise, it
is unclear how the client CA list (server -> client) ended up being
sent from client -> server.
More information about the openssl-users