TLSv1.2 Distinguished Names Length 0 / how to set it

Viktor Dukhovni openssl-users at dukhovni.org
Wed Jan 19 16:41:16 UTC 2022


On Wed, Jan 19, 2022 at 05:21:27PM +0100, Olivier Germain via openssl-users wrote:

> We have a requirement to implement the  Distinguished Name in the response
> received by the client. Hopefully I am ok.

More accurately, you're being asked to send a suitable non-empty list of
"Distinguished Names" in server "certificate request" extensions, when
soliciting client certificates.  This can be necessary to, e.g., solicit
client certificates from Java applications, which select the certificate
to use based on the names suggested by the server.

> How can I set in my SSL code the value for the distinguished Name?

Something along the lines of the below, which extracts the subject
DNs from a PEM file with trusted issuer (root CA) certificates:

    if (CAfile) {
        STACK_OF(X509_NAME) *calist = SSL_load_client_CA_file(CAfile);

        if (calist != NULL)
            SSL_CTX_set_client_CA_list(ctx, calist);
    }

The operator of the server should be able to configure a file of trusted
client cert issuers separately from the default list of trusted issuers.
This would ideally hold just one or a few CAs actually used to issue
client certificates trusted by the server in question.

Note the documented ownership transfer:

   SSL_CTX_set_client_CA_list() sets the list of CAs sent to the client
   when requesting a client certificate for ctx. Ownership of list is
   transferred to ctx and it should not be freed by the caller.

There are other ways to construct a stack of CA X.509 names, but loading
them from a PEM file of CA certs is typically the simplest option.

-- 
    Viktor.


More information about the openssl-users mailing list