Got it. Thanks. I would think the basic client case is "one certificate, one CA" so I think I will roll with what we have (especially since the product has been out there for years with no reported problems in this area -- although I think client certificate usage is rare) but keep the issue in mind if a problem comes up.
Charles -----Original Message----- From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf Of Viktor Dukhovni Sent: Sunday, December 2, 2018 5:50 PM To: openssl-users@openssl.org Subject: Re: [openssl-users] Question on necessity of SSL_CTX_set_client_CA_list > On Dec 2, 2018, at 7:38 PM, Charles Mills <charl...@mcn.org> wrote: > > I have an OpenSSL (v1.1.0f) server application that processes client > certificates. > > The doc for SSL_CTX_load_verify_locations() states “In server mode, when > requesting a client certificate, the server must send the list of CAs of > which it will accept client certificates. This list is not influenced by the > contents of CAfile or CApath and must explicitly be set using the > SSL_CTX_set_client_CA_list family of functions.” > > The application makes no calls to SSL_CTX_set_client_CA_list() yet receives > client certificates without errors. > > Can someone please explain the discrepancy. I’m especially wondering if I > have set a trap that will spring down the road: “yes it works, but if a user > does X then it will not work.” The default list is empty. Some client implementations, IIRC Java's TLS stack or at least some Java TLS toolkits, will not use a client certificate unless the server's list is non-empty, and perhaps may also require that it include a CA name that matches an issuer of their certificate. Other clients have but one default certificate and use it regardless of the server's CA list. Your mileage may vary. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
