Re: when does a server need to use SSL_CTX_set_client_CA_list()?

From: Ronald Klop <ronald-lists_at_klop.ws>
Date: Sun, 15 Mar 2020 19:41:08 +0100
On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem <rmacklem_at_uoguelph.ca>  
wrote:

> Hi,
>
> Since it is done in sample code, I have an option in the RPC-over-TLS
> server daemon that does the SSL_CTX_set_client_CA_list() call.
> When I test, I have not used this option and the code seems to work.
> Maybe this is because the client only has a single certificate?
>
> Here's the lame description I have in the man page for the option:
> .It Fl C Ar client_cafile
> If this option is specified, the server calls
> .Dq  
> SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile''))
> during TLS context configuration.
> I do not know when this is needed, but it appears to be required for
> certain TLS configurations.
>
> Does someone know when this call is needed?
> Can you explain it? (Just about anything is better than the above;-)
>


grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches  
(sendmail, wpa & unbound). Maybe that source gives a hint.

Regard,

Ronald.


> Thanks, rick
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to  
> "freebsd-current-unsubscribe_at_freebsd.org"
Received on Sun Mar 15 2020 - 17:41:12 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC