when does a server need to use SSL_CTX_set_client_CA_list()?
Alexander Leidinger
Alexander at leidinger.net
Mon Mar 16 08:19:54 UTC 2020
Quoting Rick Macklem <rmacklem at uoguelph.ca> (from Sun, 15 Mar 2020
23:27:58 +0000):
> As such, it stills seems to be a bit of a mystery to me, but it
> seems that putting
> all the certificates in a CAfile and not using a CApath directory is
> the simpler
> way to go.
If you have multiple CAs in the file, the code needs to search for one
which matches. If you use the path, the code just needs to list the
directory and check the filename which matches the id of the CA-cert.
On a recent -current system have where you've never run "certctl
rehash" have a look into /etc/ssl/certs, then run "certctl rehash",
and then check /etc/ssl/certs again to see what I mean.
For a program which communicates with a lot of different systems which
use different CAs (mailserver, browser), the path makes sense. For a
NFS server I wouldn't configure all the Mozilla-accepted CAs. As such
a CAfile may be enough, but having the possibility for both allows the
user to chose which way he wants to configure his system (e.g. maybe
he has just one CA in a directory, but for consistency reasons he
prefers to specify the path to be able to use one way to configure
things).
You can do it either way, technically it doesn't matter. It makes
sense to have both possibilities (that would be my preference, to give
the user the choice which way he wants to handle it). Having only the
file-way would not be stupid (as you can see with wpa and unbound,
which are used in a similar way in this regard than one would use
NFS). Only the path-way would be less favorable in my opinion.
> I haven't yet decided whether or not I'll specify a command option
> for setting
> CApath. Sendmail does. wpa and unboud don't?
Sendmail needs to use more than one CA if it wants to validate
connections from anyone, and it wants to do it in a performant way.
WIFI and DNS typically only need one CA.
Bye,
Alexander.
--
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild at FreeBSD.org : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20200316/54330822/attachment.sig>
More information about the freebsd-current
mailing list