Hi Michel, Indeed, that seems to work, and I note that the call is included in the s_server.c code.
That just leaves me a bit mystified as to why: 1. the call is not included in the SSL_CTX_load_verify_locations() function, so that we don't need to read the file twice - although I guess that the latter is used for both client and server code. I suppose that SSL_CTX_set_client_CA_list() is server-only? 2. how the code has worked for over 10 years, to any number of different clients, without this call ... I guess that most clients are more tolerant. Thanks for your help. G. -----Original Message----- From: Michel [mailto:msa...@paybox.com] Sent: 03 November 2011 14:10 To: openssl-users@openssl.org Cc: Shaw Graham George Subject: Re: Empty CA name list in Certificate Request in 0.9.8e Hi George, didn't you forget a call to : SSL_CTX_set_client_CA_list() see http://www.openssl.org/docs/ssl/SSL_CTX_set_client_CA_list.html Le 03/11/2011 14:23, Shaw Graham George a écrit : > Hi, > > Our software has been using OpenSSL for many years successfully, but we've > recently discovered a problem when running our HTTPS server against a client > running some IBM software (not sure exactly what at the moment. > > The client appears to be making a strict interpretation of the RFCs regarding > the CA name list in the Certificate Request sent by our server. This is > required not to be empty by the RFCs (prior to TLS v1.1), but the list being > sent is empty. It seems that most software is tolerant of this, but this > particular IBM software is not. > > I've being doing some testing in the code, and the name list is derived from > the stack of CAs in the client_CA data element of the context. However, it > seems that this list is never populated by SSL_CTX_load_verify_locations(). > I have a confession here that we are still using a rather old version, 0.9.8e. > > So has this been seen previously? And has it been fixed? Or are we missing > something in our code - SSL_CTX_load_verify_locations() is essentially all we > do to handle CAs, and this has been fine until now. > > I've done the usual searches in the mail archive and not managed to find > anything. > > For now I'd prefer to patch the 0.9.8e code, before moving to a more recent > version. > > Best regards, > > George Shaw. > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
