when does a server need to use SSL_CTX_set_client_CA_list()?

Rick Macklem rmacklem at uoguelph.ca
Mon Mar 16 21:44:44 UTC 2020

Alexander Leidinger wrote:
>Quoting Rick Macklem <rmacklem at uoguelph.ca> (from Sun, 15 Mar 2020  
>23:27:58 +0000):
>> As such, it stills seems to be a bit of a mystery to me, but it  
>> seems that putting
>> all the certificates in a CAfile and not using a CApath directory is  
>> the simpler
>> way to go.
>If you have multiple CAs in the file, the code needs to search for one  
>which matches. If you use the path, the code just needs to list the  
>directory and check the filename which matches the id of the CA-cert.  
>On a recent -current system have where you've never run "certctl  
>rehash" have a look into /etc/ssl/certs, then run "certctl rehash",  
>and then check /etc/ssl/certs again to see what I mean.
>For a program which communicates with a lot of different systems which  
>use different CAs (mailserver, browser), the path makes sense. For a  
>NFS server I wouldn't configure all the Mozilla-accepted CAs. As such  
>a CAfile may be enough, but having the possibility for both allows the  
>user to chose which way he wants to configure his system (e.g. maybe  
>he has just one CA in a directory, but for consistency reasons he  
>prefers to specify the path to be able to use one way to configure  
>You can do it either way, technically it doesn't matter. It makes  
>sense to have both possibilities (that would be my preference, to give  
>the user the choice which way he wants to handle it). Having only the  
>file-way would not be stupid (as you can see with wpa and unbound,  
>which are used in a similar way in this regard than one would use  
>NFS). Only the path-way would be less favorable in my opinion.
Well, I can easily provide command line options for both CAfile and CApath.
The part that confuses me is that only CAfile gets used for:
in the examples I've found, so the CA list that goes to the client doesn't seem
to get set for the CApath case?
As such, there does seem to be a technical difference between using CAfile and

And Garrett seems to indicate SSL_CTX_set_client_CA_LIST() should always be done.

Note that NFS will often (not always, that's a decision for the NFS admin) want
certificates from clients (something that a web server doesn't normally do).

For now, I'll just provide both command line arguments, but note in the man
page that SSL_CTX_set_client_CA_list() is only done for CAfile.

Thanks for your comments, rick

> I haven't yet decided whether or not I'll specify a command option  
> for setting
> CApath. Sendmail does. wpa and unboud don't?

Sendmail needs to use more than one CA if it wants to validate  
connections from anyone, and it wants to do it in a performant way.  
WIFI and DNS typically only need one CA.


http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org    netchild at FreeBSD.org  : PGP 0x8F31830F9F2772BF

More information about the freebsd-current mailing list