Salz, Rich <rsalz=40akamai....@dmarc.ietf.org> writes:
>Is this generally used? Would things go badly if we stopped sending them?
Just as a data point, in the SCADA world it seems to be universally ignored.
I've seen everything from servers that send a list containing every CA in
existence, so much data in that one field that it overflows the TLS maximum
message size (when queried the server admins asked what a CA name list was,
and what it was used for), to a few random CA names that don't correspond to
anything they'll accept (when queried the server admins asked what a CA name
list was, and what it was used for), to nothing at all. I've also seen plenty
of servers that send cert requests to the client without actually wanting a
cert (when queried the server admins asked what a cert request was, and what
it was used for).
The behaviour to make things work in this environment is to treat the cert
request as a no-biased boolean:
* No cert request present -> Proceed
* Cert request present, no cert available -> Proceed
* Cert request present, cert available -> Auth with whatever cert you happen
to have using whatever algorithm it happens to use.
So far this has produced zero complaints about things breaking. The fact that
they've not received complaints from anyone else either indicates that pretty
much every other implementation is doing something along similar lines.
Peter.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
