In article <[EMAIL PROTECTED]>, [EMAIL PROTECTED] says... > Stephen Henson wrote: > > > > > > Although a server sending an empty list is strictly speaking illegal in > > SSL/TLS some implementations will tolerate it and interpret it as "any > > CA". > > > > No idea if Mozilla does though... > > > > Steve. > > Until recently, NSS treated a cert request with an empty set of CA names > as an error. Now, in the most recent versions (3.7 and later, IIRC), > it allows zero-length lists, and passes them up to application's cert > selection callback function. I don't know what mozilla (the browser > application) does when it receives a zero-length CA name list. > > This change to NSS was made in response to the Internet Draft revision > to RFC 2246. > ftp://ftp.rfc-editor.org/in-notes/internet-drafts/draft-ietf-tls-rfc2246-bis-03.txt > As presently drafted, TLS 1.1 will explicitly allow zero length CA name > lists. >
My tests on Mozilla 1.2.1 show it tolerates an empty set and interprets it as "any CA". Maybe thats NSS 3.6 because that's the version the "Generic Crypto Services" HW version shows up as. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.demon.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
