Quantcast

'No client certificate CA names sent'

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

'No client certificate CA names sent'

russellbell

        I apologize if you've answered this question before.  I've
read some of the answers I've found in the archives but I don't
understand them.
        What does this message mean?  That I failed to send a client
certificate CA name?  That I failed to receive one?

        I run

        openssl s_client -certform gmail.pem -key gmail.key -CAfile cacert.pem   -debug -verify 10 -connect smtp.gmail.com:465

I don't see the an argument to send a client certificate CA name in
s_client's man page.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 'No client certificate CA names sent'

Viktor Dukhovni

> On Jan 29, 2017, at 11:34 AM, [hidden email] wrote:
>
> What does this message mean?  That I failed to send a client
> certificate CA name?  That I failed to receive one?  I run
>
>  $ openssl s_client -certform gmail.pem -key gmail.key \
>      -CAfile cacert.pem -debug -verify 10 -connect smtp.gmail.com:465
>
> I don't see the an argument to send a client certificate CA name in
> s_client's man page.

The list of "client certificate CA names" is optionally sent by servers when
requesting client certificates.   It is normal for no such list to be sent,
and it is often wise to send an empty list when requesting client certificates.
All this is controlled on the server side.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 'No client certificate CA names sent'

russellbell
In reply to this post by russellbell
        Quoth Mr Viktor Dukhovni, 'it is often wise to send an empty
list when requesting client certificates.'
        How does one send an empty list?

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 'No client certificate CA names sent'

OpenSSL - User mailing list
On 01/30/2017 10:44 AM, [hidden email] wrote:
	Quoth Mr Viktor Dukhovni, 'it is often wise to send an empty
list when requesting client certificates.'
	How does one send an empty list?


That's generally the default server behavior when no CAs are configured for that purpose.  But, (1) I thought you were looking at the client side, and (2) how to configure the server depends on what software is used on the server, so there's not much more to say right now.

-Ben

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 'No client certificate CA names sent'

Viktor Dukhovni
In reply to this post by russellbell

> On Jan 30, 2017, at 11:44 AM, [hidden email] wrote:
>
>> it is often wise to send an empty list when requesting client certificates.
>
> How does one send an empty list?

https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html

Just pass a NULL stack.

--
        Viktor.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 'No client certificate CA names sent'

russellbell
In reply to this post by russellbell
        Quoth Mr Benjamin Kaduk:

        'That's generally the default server behavior when no CAs are
configured for that purpose.  But, (1) I thought you were looking at
the client side, and (2) how to configure the server depends on what
software is used on the server, so there's not much more to say right
now.'
        It was on the client side.  I'm running sendmail as a client
to relay mail that originates on my computer through gmail.  When I
request a certificate from gmail I get that message in the return
(along with a certificate).  It may not matter.  It doesn't keep me
from sending mail through gmail.  I just wanted to understand it.
        When I send mail through gmail, sendmail reports
'verify=FAIL'.  I hoped to make that not happen.

        Quoth Mr Viktor Dukhovni:

        'https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html

        That's the same as the man page I already have.

        'Just pass a NULL stack.'

        Is there an app with which I can do this or do I have to write
a program?  Not that I can't do that.

russell bell
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: 'No client certificate CA names sent'

Viktor Dukhovni
On Tue, Jan 31, 2017 at 08:07:16AM -0700, [hidden email] wrote:

> It was on the client side.  I'm running sendmail as a client
> to relay mail that originates on my computer through gmail.

Gmail's SMTP server, correctly, does not suggest any preferred
client CAs.

> When I
> request a certificate from gmail I get that message in the return
> (along with a certificate).  It may not matter.

Not only does it not matter, it is expected and best practice.

> When I send mail through gmail, sendmail reports
> 'verify=FAIL'.  I hoped to make that not happen.

Completely unrelated to the preferred client CA list.  Sendmail's
TLS support is fairly anaemic, you should probably just ignore
this.  While it is possible to "verify" the certificate, that's
pointless unless you also configure secure matching of the MX
hostname against the certificate.  Absent DNSSEC (which gmail does
not currently support) you'd need to define custom policy for gmail
that insists on their current MX hostnames or some fuzzy match
thereof.  This is much too much work.

    https://tools.ietf.org/html/rfc7672#section-1.3

For now, opportunistic unauthenticated TLS will do and is what
what most SMTP email uses:

    https://tools.ietf.org/html/rfc7435#section-1.3
    https://www.google.com/transparencyreport/saferemail/

> Quoth Mr Viktor Dukhovni:
>
> 'https://www.openssl.org/docs/man1.1.0/ssl/SSL_CTX_set_client_CA_list.html
>
> That's the same as the man page I already have.
>
> 'Just pass a NULL stack.'
>
> Is there an app with which I can do this or do I have to write
> a program?  Not that I can't do that.

None of this is applicable on the client side.

--
        Viktor.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Loading...