when does a server need to use SSL_CTX_set_client_CA_list()?

Alexander Leidinger Alexander at leidinger.net
Mon Mar 16 08:19:54 UTC 2020

Quoting Rick Macklem <rmacklem at uoguelph.ca> (from Sun, 15 Mar 2020  
23:27:58 +0000):

> As such, it stills seems to be a bit of a mystery to me, but it  
> seems that putting
> all the certificates in a CAfile and not using a CApath directory is  
> the simpler
> way to go.

If you have multiple CAs in the file, the code needs to search for one  
which matches. If you use the path, the code just needs to list the  
directory and check the filename which matches the id of the CA-cert.  
On a recent -current system have where you've never run "certctl  
rehash" have a look into /etc/ssl/certs, then run "certctl rehash",  
and then check /etc/ssl/certs again to see what I mean.

For a program which communicates with a lot of different systems which  
use different CAs (mailserver, browser), the path makes sense. For a  
NFS server I wouldn't configure all the Mozilla-accepted CAs. As such  
a CAfile may be enough, but having the possibility for both allows the  
user to chose which way he wants to configure his system (e.g. maybe  
he has just one CA in a directory, but for consistency reasons he  
prefers to specify the path to be able to use one way to configure  

You can do it either way, technically it doesn't matter. It makes  
sense to have both possibilities (that would be my preference, to give  
the user the choice which way he wants to handle it). Having only the  
file-way would not be stupid (as you can see with wpa and unbound,  
which are used in a similar way in this regard than one would use  
NFS). Only the path-way would be less favorable in my opinion.

> I haven't yet decided whether or not I'll specify a command option  
> for setting
> CApath. Sendmail does. wpa and unboud don't?

Sendmail needs to use more than one CA if it wants to validate  
connections from anyone, and it wants to do it in a performant way.  
WIFI and DNS typically only need one CA.


http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: Digitale PGP-Signatur
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20200316/54330822/attachment.sig>

More information about the freebsd-current mailing list