Empty CA name list in Certificate Request in 0.9.8e

2011-11-03 Thread Shaw Graham George 
Hi,

Our software has been using OpenSSL for many years successfully, but we've 
recently discovered a problem when running our HTTPS server against a client 
running some IBM software (not sure exactly what at the moment.

The client appears to be making a strict interpretation of the RFCs regarding 
the CA name list in the Certificate Request sent by our server.  This is 
required not to be empty by the RFCs (prior to TLS v1.1), but the list being 
sent is empty.  It seems that most software is tolerant of this, but this 
particular IBM software is not.

I've being doing some testing in the code, and the name list is derived from 
the stack of CAs in the client_CA data element of the context.  However, it 
seems that this list is never populated by SSL_CTX_load_verify_locations().  I 
have a confession here that we are still using a rather old version, 0.9.8e.

So has this been seen previously?  And has it been fixed?  Or are we missing 
something in our code - SSL_CTX_load_verify_locations() is essentially all we 
do to handle CAs, and this has been fine until now.

I've done the usual searches in the mail archive and not managed to find 
anything.

For now I'd prefer to patch the 0.9.8e code, before moving to a more recent 
version.

Best regards,

George Shaw.

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

RE: Empty CA name list in Certificate Request in 0.9.8e

2011-11-03 Thread Shaw Graham George 
Hi Michel,

Indeed, that seems to work, and I note that the call is included in the 
s_server.c code.

That just leaves me a bit mystified as to why:

1.  the call is not included in the SSL_CTX_load_verify_locations() function, 
so that we don't need to read the file twice - although I guess that the latter 
is used for both client and server code.  I suppose that 
SSL_CTX_set_client_CA_list() is server-only?

2.  how the code has worked for over 10 years, to any number of different 
clients, without this call ...  I guess that most clients are more tolerant.

Thanks for your help.

G.


-Original Message-
From: Michel [mailto:msa...@paybox.com] 
Sent: 03 November 2011 14:10
To: openssl-users@openssl.org
Cc: Shaw Graham George
Subject: Re: Empty CA name list in Certificate Request in 0.9.8e

Hi George,

didn't  you forget a call to :
SSL_CTX_set_client_CA_list()

see http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html

Le 03/11/2011 14:23, Shaw Graham George a écrit :
 Hi,

 Our software has been using OpenSSL for many years successfully, but we've 
 recently discovered a problem when running our HTTPS server against a client 
 running some IBM software (not sure exactly what at the moment.

 The client appears to be making a strict interpretation of the RFCs regarding 
 the CA name list in the Certificate Request sent by our server.  This is 
 required not to be empty by the RFCs (prior to TLS v1.1), but the list being 
 sent is empty.  It seems that most software is tolerant of this, but this 
 particular IBM software is not.

 I've being doing some testing in the code, and the name list is derived from 
 the stack of CAs in the client_CA data element of the context.  However, it 
 seems that this list is never populated by SSL_CTX_load_verify_locations().  
 I have a confession here that we are still using a rather old version, 0.9.8e.

 So has this been seen previously?  And has it been fixed?  Or are we missing 
 something in our code - SSL_CTX_load_verify_locations() is essentially all we 
 do to handle CAs, and this has been fine until now.

 I've done the usual searches in the mail archive and not managed to find 
 anything.

 For now I'd prefer to patch the 0.9.8e code, before moving to a more recent 
 version.

 Best regards,

 George Shaw.

 __
 OpenSSL Project http://www.openssl.org
 User Support Mailing Listopenssl-users@openssl.org
 Automated List Manager   majord...@openssl.org

__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org