Alexander Leidinger wrote: >Quoting Rick Macklem <rmacklem_at_uoguelph.ca> (from Sun, 15 Mar 2020 >23:27:58 +0000): > >> As such, it stills seems to be a bit of a mystery to me, but it >> seems that putting >> all the certificates in a CAfile and not using a CApath directory is >> the simpler >> way to go. > >If you have multiple CAs in the file, the code needs to search for one >which matches. If you use the path, the code just needs to list the >directory and check the filename which matches the id of the CA-cert. >On a recent -current system have where you've never run "certctl >rehash" have a look into /etc/ssl/certs, then run "certctl rehash", >and then check /etc/ssl/certs again to see what I mean. > >For a program which communicates with a lot of different systems which >use different CAs (mailserver, browser), the path makes sense. For a >NFS server I wouldn't configure all the Mozilla-accepted CAs. As such >a CAfile may be enough, but having the possibility for both allows the >user to chose which way he wants to configure his system (e.g. maybe >he has just one CA in a directory, but for consistency reasons he >prefers to specify the path to be able to use one way to configure >things). > >You can do it either way, technically it doesn't matter. It makes >sense to have both possibilities (that would be my preference, to give >the user the choice which way he wants to handle it). Having only the >file-way would not be stupid (as you can see with wpa and unbound, >which are used in a similar way in this regard than one would use >NFS). Only the path-way would be less favorable in my opinion. Well, I can easily provide command line options for both CAfile and CApath. The part that confuses me is that only CAfile gets used for: SSL_CTX_set_client_CA_list(SSL_load_CA_names(CAfile)) in the examples I've found, so the CA list that goes to the client doesn't seem to get set for the CApath case? As such, there does seem to be a technical difference between using CAfile and CApath. And Garrett seems to indicate SSL_CTX_set_client_CA_LIST() should always be done. Note that NFS will often (not always, that's a decision for the NFS admin) want certificates from clients (something that a web server doesn't normally do). For now, I'll just provide both command line arguments, but note in the man page that SSL_CTX_set_client_CA_list() is only done for CAfile. Thanks for your comments, rick > I haven't yet decided whether or not I'll specify a command option > for setting > CApath. Sendmail does. wpa and unboud don't? Sendmail needs to use more than one CA if it wants to validate connections from anyone, and it wants to do it in a performant way. WIFI and DNS typically only need one CA. Bye, Alexander. -- http://www.Leidinger.net Alexander_at_Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild_at_FreeBSD.org : PGP 0x8F31830F9F2772BFReceived on Mon Mar 16 2020 - 20:44:44 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:23 UTC