Ronald Klop wrote: >On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem <rmacklem_at_uoguelph.ca> >wrote: > >> Hi, >> >> Since it is done in sample code, I have an option in the RPC-over-TLS >> server daemon that does the SSL_CTX_set_client_CA_list() call. >> When I test, I have not used this option and the code seems to work. >> Maybe this is because the client only has a single certificate? >> >> Here's the lame description I have in the man page for the option: >> .It Fl C Ar client_cafile >> If this option is specified, the server calls >> .Dq >> SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile'')) >> during TLS context configuration. >> I do not know when this is needed, but it appears to be required for >> certain TLS configurations. >> >> Does someone know when this call is needed? >> Can you explain it? (Just about anything is better than the above;-) >> > > >grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches >(sendmail, wpa & unbound). Maybe that source gives a hint. Good point. I had looked at the s_server in openssl, but not the others. It looks like wpa and unbound do what I was thinking of and uses the CAfile argument for both SSL_CTX_load_verify_locations() and SSL_CTX_set_client_CA_list(SSL_load_client_CA_file()), setting CApath NULL for SSL_CTX_load_verify_locations(). Sendmail and the s_server.c in openssl pass both CAfile and CApath arguments to SSL_CTX_load_verify_locations() and then uses the CAfile argument for SSL_CTX_set_client_CA_list(SSL_load_client_CA_file()). This means that SSL_CTX_set_client_CA_list() was only called for the CAfile case and not the CApath case. (The SSL_CTX_load_verify_locations() man page notes that the certificates in CApath are only loaded when verification is being done and only when a certificate is not found in CAfile, but that doesn't seem to answer when/if CApath gets used. It is a directory of CA files, but why do it that way instead of putting them all in a single CAfile?) As such, it stills seems to be a bit of a mystery to me, but it seems that putting all the certificates in a CAfile and not using a CApath directory is the simpler way to go. I haven't yet decided whether or not I'll specify a command option for setting CApath. Sendmail does. wpa and unboud don't? Thanks for the suggestion, rick Regard, Ronald. > Thanks, rick > _______________________________________________ > freebsd-current_at_freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe_at_freebsd.org"Received on Sun Mar 15 2020 - 22:28:03 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC