when does a server need to use SSL_CTX_set_client_CA_list()?

Rick Macklem rmacklem at uoguelph.ca
Sat Mar 14 01:28:25 UTC 2020


Since it is done in sample code, I have an option in the RPC-over-TLS
server daemon that does the SSL_CTX_set_client_CA_list() call.
When I test, I have not used this option and the code seems to work.
Maybe this is because the client only has a single certificate?

Here's the lame description I have in the man page for the option:
.It Fl C Ar client_cafile
If this option is specified, the server calls
.Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile''))
during TLS context configuration.
I do not know when this is needed, but it appears to be required for
certain TLS configurations.

Does someone know when this call is needed?
Can you explain it? (Just about anything is better than the above;-)

Thanks, rick

More information about the freebsd-current mailing list