Hi Michel,
Indeed, that seems to work, and I note that the call is included in the
s_server.c code.
That just leaves me a bit mystified as to why:
1. the call is not included in the SSL_CTX_load_verify_locations() function,
so that we don't need to read the file twice - although I guess that the latter
is used for both client and server code. I suppose that
SSL_CTX_set_client_CA_list() is server-only?
2. how the code has worked for over 10 years, to any number of different
clients, without this call ... I guess that most clients are more tolerant.
Thanks for your help.
G.
-Original Message-
From: Michel [mailto:msa...@paybox.com]
Sent: 03 November 2011 14:10
To: openssl-users@openssl.org
Cc: Shaw Graham George
Subject: Re: Empty CA name list in Certificate Request in 0.9.8e
Hi George,
didn't you forget a call to :
SSL_CTX_set_client_CA_list()
see http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html
Le 03/11/2011 14:23, Shaw Graham George a écrit :
Hi,
Our software has been using OpenSSL for many years successfully, but we've
recently discovered a problem when running our HTTPS server against a client
running some IBM software (not sure exactly what at the moment.
The client appears to be making a strict interpretation of the RFCs regarding
the CA name list in the Certificate Request sent by our server. This is
required not to be empty by the RFCs (prior to TLS v1.1), but the list being
sent is empty. It seems that most software is tolerant of this, but this
particular IBM software is not.
I've being doing some testing in the code, and the name list is derived from
the stack of CAs in the client_CA data element of the context. However, it
seems that this list is never populated by SSL_CTX_load_verify_locations().
I have a confession here that we are still using a rather old version, 0.9.8e.
So has this been seen previously? And has it been fixed? Or are we missing
something in our code - SSL_CTX_load_verify_locations() is essentially all we
do to handle CAs, and this has been fine until now.
I've done the usual searches in the mail archive and not managed to find
anything.
For now I'd prefer to patch the 0.9.8e code, before moving to a more recent
version.
Best regards,
George Shaw.
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager majord...@openssl.org