TLSv1.2 Distinguished Names Length 0 / how to set it

Olivier Germain ogermain at tibco.com
Thu Jan 20 09:03:51 UTC 2022


Hi Viktor,

Thanks a lot for your detailed response and the suggestion. I am going to
implement it and let you know.
I really appreciate your quick feedback on my request.
Thank you and best regards
Olivier

On Wed, Jan 19, 2022 at 5:49 PM Viktor Dukhovni <openssl-users at dukhovni.org>
wrote:

> On Wed, Jan 19, 2022 at 05:21:27PM +0100, Olivier Germain via
> openssl-users wrote:
>
> > We have a requirement to implement the  Distinguished Name in the
> response
> > received by the client. Hopefully I am ok.
>
> More accurately, you're being asked to send a suitable non-empty list of
> "Distinguished Names" in server "certificate request" extensions, when
> soliciting client certificates.  This can be necessary to, e.g., solicit
> client certificates from Java applications, which select the certificate
> to use based on the names suggested by the server.
>
> > How can I set in my SSL code the value for the distinguished Name?
>
> Something along the lines of the below, which extracts the subject
> DNs from a PEM file with trusted issuer (root CA) certificates:
>
>     if (CAfile) {
>         STACK_OF(X509_NAME) *calist = SSL_load_client_CA_file(CAfile);
>
>         if (calist != NULL)
>             SSL_CTX_set_client_CA_list(ctx, calist);
>     }
>
> The operator of the server should be able to configure a file of trusted
> client cert issuers separately from the default list of trusted issuers.
> This would ideally hold just one or a few CAs actually used to issue
> client certificates trusted by the server in question.
>
> Note the documented ownership transfer:
>
>    SSL_CTX_set_client_CA_list() sets the list of CAs sent to the client
>    when requesting a client certificate for ctx. Ownership of list is
>    transferred to ctx and it should not be freed by the caller.
>
> There are other ways to construct a stack of CA X.509 names, but loading
> them from a PEM file of CA certs is typically the simplest option.
>
> --
>     Viktor.
>


-- 
Olivier GERMAIN
TIBCO Support

TIBCO software
18, rue du 4 Septembre
75002 Paris, France
Mobile : +33 6 45 30 23 31
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20220120/e1275e1e/attachment.htm>


More information about the openssl-users mailing list