when does a server need to use SSL_CTX_set_client_CA_list()?

Rick Macklem rmacklem at uoguelph.ca
Sun Mar 15 23:28:03 UTC 2020

Ronald Klop wrote:
>On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem <rmacklem at uoguelph.ca>
>> Hi,
>> Since it is done in sample code, I have an option in the RPC-over-TLS
>> server daemon that does the SSL_CTX_set_client_CA_list() call.
>> When I test, I have not used this option and the code seems to work.
>> Maybe this is because the client only has a single certificate?
>> Here's the lame description I have in the man page for the option:
>> .It Fl C Ar client_cafile
>> If this option is specified, the server calls
>> .Dq
>> SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile''))
>> during TLS context configuration.
>> I do not know when this is needed, but it appears to be required for
>> certain TLS configurations.
>> Does someone know when this call is needed?
>> Can you explain it? (Just about anything is better than the above;-)
>grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches
>(sendmail, wpa & unbound). Maybe that source gives a hint.
Good point. I had looked at the s_server in openssl, but not the others.
It looks like wpa and unbound do what I was thinking of and uses the
CAfile argument for both SSL_CTX_load_verify_locations() and
SSL_CTX_set_client_CA_list(SSL_load_client_CA_file()), setting CApath NULL
for SSL_CTX_load_verify_locations().

Sendmail and the s_server.c in openssl pass both CAfile and CApath arguments
to SSL_CTX_load_verify_locations() and then uses the CAfile argument for
This means that SSL_CTX_set_client_CA_list() was only called for the CAfile case
and not the CApath case. (The SSL_CTX_load_verify_locations() man page notes that
the certificates in CApath are only loaded when verification is being done and
only when a certificate is not found in CAfile, but that doesn't seem to answer
when/if CApath gets used. It is a directory of CA files, but why do it that way
instead of putting them all in a single CAfile?)

As such, it stills seems to be a bit of a mystery to me, but it seems that putting
all the certificates in a CAfile and not using a CApath directory is the simpler
way to go.

I haven't yet decided whether or not I'll specify a command option for setting
CApath. Sendmail does. wpa and unboud don't?

Thanks for the suggestion, rick



> Thanks, rick
> _______________________________________________
> freebsd-current at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to
> "freebsd-current-unsubscribe at freebsd.org"

More information about the freebsd-current mailing list