> On Dec 2, 2018, at 7:38 PM, Charles Mills <[email protected]> wrote:
>
> I have an OpenSSL (v1.1.0f) server application that processes client
> certificates.
>
> The doc for SSL_CTX_load_verify_locations() states “In server mode, when
> requesting a client certificate, the server must send the list of CAs of
> which it will accept client certificates. This list is not influenced by the
> contents of CAfile or CApath and must explicitly be set using the
> SSL_CTX_set_client_CA_list family of functions.”
>
> The application makes no calls to SSL_CTX_set_client_CA_list() yet receives
> client certificates without errors.
>
> Can someone please explain the discrepancy. I’m especially wondering if I
> have set a trap that will spring down the road: “yes it works, but if a user
> does X then it will not work.”
The default list is empty. Some client implementations, IIRC Java's TLS
stack or at least some Java TLS toolkits, will not use a client certificate
unless the server's list is non-empty, and perhaps may also require that it
include a CA name that matches an issuer of their certificate.
Other clients have but one default certificate and use it regardless of the
server's CA list. Your mileage may vary.
--
Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
