when does a server need to use SSL_CTX_set_client_CA_list()?

Ronald Klop ronald-lists at klop.ws
Sun Mar 15 18:41:12 UTC 2020

On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem <rmacklem at uoguelph.ca>  

> Hi,
> Since it is done in sample code, I have an option in the RPC-over-TLS
> server daemon that does the SSL_CTX_set_client_CA_list() call.
> When I test, I have not used this option and the code seems to work.
> Maybe this is because the client only has a single certificate?
> Here's the lame description I have in the man page for the option:
> .It Fl C Ar client_cafile
> If this option is specified, the server calls
> .Dq  
> SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile''))
> during TLS context configuration.
> I do not know when this is needed, but it appears to be required for
> certain TLS configurations.
> Does someone know when this call is needed?
> Can you explain it? (Just about anything is better than the above;-)

grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches  
(sendmail, wpa & unbound). Maybe that source gives a hint.



> Thanks, rick
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to  
> "freebsd-current-unsubscribe at freebsd.org"

More information about the freebsd-current mailing list