Hi, Our software has been using OpenSSL for many years successfully, but we've recently discovered a problem when running our HTTPS server against a client running some IBM software (not sure exactly what at the moment.
The client appears to be making a strict interpretation of the RFCs regarding the CA name list in the Certificate Request sent by our server. This is required not to be empty by the RFCs (prior to TLS v1.1), but the list being sent is empty. It seems that most software is tolerant of this, but this particular IBM software is not. I've being doing some testing in the code, and the name list is derived from the stack of CAs in the client_CA data element of the context. However, it seems that this list is never populated by SSL_CTX_load_verify_locations(). I have a confession here that we are still using a rather old version, 0.9.8e. So has this been seen previously? And has it been fixed? Or are we missing something in our code - SSL_CTX_load_verify_locations() is essentially all we do to handle CAs, and this has been fine until now. I've done the usual searches in the mail archive and not managed to find anything. For now I'd prefer to patch the 0.9.8e code, before moving to a more recent version. Best regards, George Shaw. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
