Date: Sun, 15 Mar 2020 19:41:08 +0100 From: "Ronald Klop" <ronald-lists@klop.ws> To: "freebsd-current@FreeBSD.org" <freebsd-current@freebsd.org>, "Rick Macklem" <rmacklem@uoguelph.ca> Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <op.0hi96u2bkndu52@sjakie> In-Reply-To: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> References: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem <rmacklem@uoguelph.ca> wrote: > Hi, > > Since it is done in sample code, I have an option in the RPC-over-TLS > server daemon that does the SSL_CTX_set_client_CA_list() call. > When I test, I have not used this option and the code seems to work. > Maybe this is because the client only has a single certificate? > > Here's the lame description I have in the man page for the option: > .It Fl C Ar client_cafile > If this option is specified, the server calls > .Dq > SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile'')) > during TLS context configuration. > I do not know when this is needed, but it appears to be required for > certain TLS configurations. > > Does someone know when this call is needed? > Can you explain it? (Just about anything is better than the above;-) > grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches (sendmail, wpa & unbound). Maybe that source gives a hint. Regard, Ronald. > Thanks, rick > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?op.0hi96u2bkndu52>