when does a server need to use SSL_CTX_set_client_CA_list()?
Ronald Klop
ronald-lists at klop.ws
Sun Mar 15 18:41:12 UTC 2020
On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem <rmacklem at uoguelph.ca>
wrote:
> Hi,
>
> Since it is done in sample code, I have an option in the RPC-over-TLS
> server daemon that does the SSL_CTX_set_client_CA_list() call.
> When I test, I have not used this option and the code seems to work.
> Maybe this is because the client only has a single certificate?
>
> Here's the lame description I have in the man page for the option:
> .It Fl C Ar client_cafile
> If this option is specified, the server calls
> .Dq
> SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile''))
> during TLS context configuration.
> I do not know when this is needed, but it appears to be required for
> certain TLS configurations.
>
> Does someone know when this call is needed?
> Can you explain it? (Just about anything is better than the above;-)
>
grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches
(sendmail, wpa & unbound). Maybe that source gives a hint.
Regard,
Ronald.
> Thanks, rick
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
> "freebsd-current-unsubscribe at freebsd.org"
More information about the freebsd-current
mailing list