From owner-freebsd-current@freebsd.org Sun Mar 15 18:41:12 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 78F8C275C18 for ; Sun, 15 Mar 2020 18:41:12 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smarthost1.greenhost.nl (smarthost1.greenhost.nl [195.190.28.88]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48gStt23DTz3FCp for ; Sun, 15 Mar 2020 18:41:09 +0000 (UTC) (envelope-from ronald-lists@klop.ws) Received: from smtp.greenhost.nl ([213.108.110.112]) by smarthost1.greenhost.nl with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.89) (envelope-from ) id 1jDYCA-000203-4Q; Sun, 15 Mar 2020 19:41:06 +0100 Content-Type: text/plain; charset=utf-8; format=flowed; delsp=yes To: "freebsd-current@FreeBSD.org" , "Rick Macklem" Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? References: Date: Sun, 15 Mar 2020 19:41:08 +0100 MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: "Ronald Klop" Message-ID: In-Reply-To: User-Agent: Opera Mail/12.16 (FreeBSD) X-Authenticated-As-Hash: 398f5522cb258ce43cb679602f8cfe8b62a256d1 X-Virus-Scanned: by clamav at smarthost1.samage.net X-Spam-Level: / X-Spam-Score: -0.2 X-Spam-Status: No, score=-0.2 required=5.0 tests=ALL_TRUSTED, BAYES_50 autolearn=disabled version=3.4.2 X-Scan-Signature: 8b3222cd26cce149ddb9ffa05c4da76e X-Rspamd-Queue-Id: 48gStt23DTz3FCp X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of ronald-lists@klop.ws designates 195.190.28.88 as permitted sender) smtp.mailfrom=ronald-lists@klop.ws X-Spamd-Result: default: False [-1.40 / 15.00]; ARC_NA(0.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.89)[-0.895,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:195.190.28.64/27]; NEURAL_HAM_LONG(-0.99)[-0.993,0]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[klop.ws]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[88.28.190.195.list.dnswl.org : 127.0.10.0]; IP_SCORE(-0.71)[ip: (-0.64), ipnet: 195.190.28.0/24(-0.25), asn: 47172(-2.71), country: NL(0.03)]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:47172, ipnet:195.190.28.0/24, country:NL]; MID_RHS_NOT_FQDN(0.50)[]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2020 18:41:12 -0000 On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem wrote: > Hi, > > Since it is done in sample code, I have an option in the RPC-over-TLS > server daemon that does the SSL_CTX_set_client_CA_list() call. > When I test, I have not used this option and the code seems to work. > Maybe this is because the client only has a single certificate? > > Here's the lame description I have in the man page for the option: > .It Fl C Ar client_cafile > If this option is specified, the server calls > .Dq > SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile'')) > during TLS context configuration. > I do not know when this is needed, but it appears to be required for > certain TLS configurations. > > Does someone know when this call is needed? > Can you explain it? (Just about anything is better than the above;-) > grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches (sendmail, wpa & unbound). Maybe that source gives a hint. Regard, Ronald. > Thanks, rick > _______________________________________________ > freebsd-current@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to > "freebsd-current-unsubscribe@freebsd.org"