SSL_set_client_CA_list(ssl, NULL) problem?

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

SSL_set_client_CA_list(ssl, NULL) problem?

Claus Assmann
I'm trying to find what's wrong when I use
SSL_set_client_CA_list(ssl, NULL);
in a server:
openssl s_client still shows "Acceptable client CA names"
(those which are previously set using
SSL_CTX_load_verify_locations())
instead of the expected
"No client certificate CA names sent"
which happens if I use
SSL_CTX_set_client_CA_list(ctx, NULL)

Now sure what's wrong:
- my program
- openssl s_client
- SSL_set_client_CA_list(ssl, NULL)
- something else

PS: openssl version is 1.0.2t
Reply | Threaded
Open this post in threaded view
|

Re: SSL_set_client_CA_list(ssl, NULL) problem?

Claus Assmann
Seems it is impossible to override the list with NULL for SSL, as
the code will then use the list from CTX (if my limited understanding
of the code is correct):

STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
{
...
        if (s->client_CA != NULL)
            return (s->client_CA);
        else
            return (s->ctx->client_CA);

Is this intentional? The man pages says:

SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the
setting valid for ssl's SSL_CTX object.


IMHO there should be some indication (flag) that the value from SSL
should be used (to distinguish between the ways NULL is used: "this
is NULL because of the initialization" and "this is explicitly set
to NULL").
Reply | Threaded
Open this post in threaded view
|

Re: SSL_set_client_CA_list(ssl, NULL) problem?

OpenSSL - User mailing list
Sorry for the very late response...

On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote:

> Seems it is impossible to override the list with NULL for SSL, as
> the code will then use the list from CTX (if my limited understanding
> of the code is correct):
>
> STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *s)
> {
> ...
>         if (s->client_CA != NULL)
>             return (s->client_CA);
>         else
>             return (s->ctx->client_CA);
>
> Is this intentional? The man pages says:

Yes.

> SSL_set_client_CA_list() sets the list of CAs sent to the client when
> requesting a client certificate for the chosen ssl, overriding the
> setting valid for ssl's SSL_CTX object.
>
>
> IMHO there should be some indication (flag) that the value from SSL
> should be used (to distinguish between the ways NULL is used: "this
> is NULL because of the initialization" and "this is explicitly set
> to NULL").

You should be able to set a "zero-length list" (which is a non-NULL pointer
value) in order to get your desired behavior.

-Ben
Reply | Threaded
Open this post in threaded view
|

Re: SSL_set_client_CA_list(ssl, NULL) problem?

Claus Assmann
On Fri, Jan 03, 2020, Benjamin Kaduk via openssl-users wrote:

> On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote:
> > Seems it is impossible to override the list with NULL for SSL, as
> > the code will then use the list from CTX (if my limited understanding

> > Is this intentional? The man pages says:

> Yes.

Then it would be nice to document this in the man page by adding some
text based on this:

> You should be able to set a "zero-length list" (which is a non-NULL pointer
> value) in order to get your desired behavior.

to it, e.g.,

SSL_set_client_CA_list() sets the list of CAs sent to the client when
requesting a client certificate for the chosen ssl, overriding the
setting valid for ssl's SSL_CTX object. Note: to clear the CA list
an empty stack must be passed as argument (not NULL), e.g.,
  STACK_OF(X509_NAME) *certs;
  certs = sk_X509_NAME_new_null();
  /* handle NULL result */
  SSL_CTX_set_client_CA_list(ssl, certs ;

I did a brief test and it seems to work, thanks!