Date: Sun, 15 Mar 2020 00:31:03 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Garrett Wollman <wollman@hergotha.csail.mit.edu> Cc: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <YTBPR01MB33745928F3EB193BC8C13C32DDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <202003140420.02E4Kx4q055789@hergotha.csail.mit.edu> References: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>, <202003140420.02E4Kx4q055789@hergotha.csail.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Garrett Wollman wrote:=0A= >Rick Macklem writes:=0A= >>Since it is done in sample code, I have an option in the RPC-over-TLS=0A= >>server daemon that does the SSL_CTX_set_client_CA_list() call.=0A= >>When I test, I have not used this option and the code seems to work.=0A= >>Maybe this is because the client only has a single certificate?=0A= >=0A= >In general, the server needs to send a list of CAs that it's willing=0A= >to accept for client certificate use, because the server should never=0A= >accept just any old CA; normally, a client will interpret receiving=0A= >the list as a request to send a client certificate issued by one of=0A= >the indicated CAs, but the client can send its certificate even if the=0A= >server doesn't send the list or even if the server sends a list but=0A= >client certificate isn't issued by a CA on the list.=0A= >=0A= >It's probably a good idea to send the list even if there's only a=0A= >single valid CA, configured by prior agreement; the overhead is=0A= >minimal and it gives an indication to a fussy or confused client what=0A= >is being required of it.=0A= Ok, so does SSL_CTX_load_verify_locations() set up the server to verify=0A= the certificates and SSL_CTX_set_client_CA_list() set the list of certifica= te=0A= names sent to the client?=0A= =0A= Put another way, should the server normally:=0A= SSL_CTX_load_verify_locations(ctx, cafile, NULL);=0A= and=0A= SSL_CTX_set_client_CA_list(SSL_CTX_load_client_CA_file(cafile));=0A= where cafile is the file with the CA certificates in it?=0A= =0A= I currently have the server setting these via separate options and only do = the=0A= first one.=0A= If they both use the same file, then I can simplify things and get rid of o= ne of=0A= the options.=0A= =0A= Thanks for your help with this, rick=0A= =0A= >My recollection is that in the OpenSSL API in particular, if you don't=0A= >set an explicit client CA list, but you *do* set a CA bundle or=0A= >directory to automatically construct the *server's* trust path, then=0A= >the library will just send the name of every single CA it knows about.=0A= =0A= -GAWollman=0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB33745928F3EB193BC8C13C32DDF80>