SSL_set_client_CA_list(ssl, NULL) problem?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_set_client_CA_list(ssl, NULL) problem?

Claus Assmann
I'm trying to find what's wrong when I use
SSL_set_client_CA_list(ssl, NULL);
in a server:
openssl s_client still shows "Acceptable client CA names"
(those which are previously set using
SSL_CTX_load_verify_locations())
instead of the expected
"No client certificate CA names sent"
which happens if I use
SSL_CTX_set_client_CA_list(ctx, NULL)

Now sure what's wrong:
- my program
- openssl s_client
- SSL_set_client_CA_list(ssl, NULL)
- something else

PS: openssl version is 1.0.2t
Reply | Threaded
Open this post in threaded view
|

Re: SSL_set_client_CA_list(ssl, NULL) problem?

Claus Assmann
Seems it is impossible to override the list with NULL for SSL, as
the code will then use the list from CTX (if my limited understanding
of the code is correct):

STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
...
        if (s->client_CA != NULL)
            return (s->client_CA);
        else
            return (s->ctx->client_CA);

Is this intentional? The man pages says:

SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the
setting valid for ssl's SSL_CTX object.


IMHO there should be some indication (flag) that the value from SSL
should be used (to distinguish between the ways NULL is used: "this
is NULL because of the initialization" and "this is explicitly set
to NULL").