when does a server need to use SSL_CTX_set_client_CA_list()?
rmacklem at uoguelph.ca
Mon Mar 16 21:44:44 UTC 2020
Alexander Leidinger wrote:
>Quoting Rick Macklem <rmacklem at uoguelph.ca> (from Sun, 15 Mar 2020
>> As such, it stills seems to be a bit of a mystery to me, but it
>> seems that putting
>> all the certificates in a CAfile and not using a CApath directory is
>> the simpler
>> way to go.
>If you have multiple CAs in the file, the code needs to search for one
>which matches. If you use the path, the code just needs to list the
>directory and check the filename which matches the id of the CA-cert.
>On a recent -current system have where you've never run "certctl
>rehash" have a look into /etc/ssl/certs, then run "certctl rehash",
>and then check /etc/ssl/certs again to see what I mean.
>For a program which communicates with a lot of different systems which
>use different CAs (mailserver, browser), the path makes sense. For a
>NFS server I wouldn't configure all the Mozilla-accepted CAs. As such
>a CAfile may be enough, but having the possibility for both allows the
>user to chose which way he wants to configure his system (e.g. maybe
>he has just one CA in a directory, but for consistency reasons he
>prefers to specify the path to be able to use one way to configure
>You can do it either way, technically it doesn't matter. It makes
>sense to have both possibilities (that would be my preference, to give
>the user the choice which way he wants to handle it). Having only the
>file-way would not be stupid (as you can see with wpa and unbound,
>which are used in a similar way in this regard than one would use
>NFS). Only the path-way would be less favorable in my opinion.
Well, I can easily provide command line options for both CAfile and CApath.
The part that confuses me is that only CAfile gets used for:
in the examples I've found, so the CA list that goes to the client doesn't seem
to get set for the CApath case?
As such, there does seem to be a technical difference between using CAfile and
And Garrett seems to indicate SSL_CTX_set_client_CA_LIST() should always be done.
Note that NFS will often (not always, that's a decision for the NFS admin) want
certificates from clients (something that a web server doesn't normally do).
For now, I'll just provide both command line arguments, but note in the man
page that SSL_CTX_set_client_CA_list() is only done for CAfile.
Thanks for your comments, rick
> I haven't yet decided whether or not I'll specify a command option
> for setting
> CApath. Sendmail does. wpa and unboud don't?
Sendmail needs to use more than one CA if it wants to validate
connections from anyone, and it wants to do it in a performant way.
WIFI and DNS typically only need one CA.
http://www.Leidinger.net Alexander at Leidinger.net: PGP 0x8F31830F9F2772BF
http://www.FreeBSD.org netchild at FreeBSD.org : PGP 0x8F31830F9F2772BF
More information about the freebsd-current