From owner-freebsd-current@freebsd.org Sun Mar 15 23:28:03 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 8039727BCE6 for ; Sun, 15 Mar 2020 23:28:03 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-qb1can01on0616.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe5c::616]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48gbFr55XCz4SRN for ; Sun, 15 Mar 2020 23:28:00 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=fysBiTldM2yrI82q31Mp6NXe/9VimPxBHvwqho5W1WZEw0B5AqpjJ+mx8nEUyawQNz+EQVHJEx/O4tvATrDyszb/ir/oFdC1MMkrmE7rOrkgbEkVGiF1lWusqtKYCHe51ddifYWbUVXKWRQVlUCr2OxMd5qLYdJVb3dDF8609IBrRT93cKtP6zzyNPLZ8Payi1UcRQo9ByFNZpfBUZyiNBZB3qkqNPAQReBKmwSBk/z2MHpRX2LPy5LP5HDi0hGzLqWEJKFbtNBj18j/Pqbvb7ZJV/QD6xPiMqeVLDe4mXc8/jr9rfuK1Lm1dcTkimDmVcQNDzk2rzas78gySR0Wdg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=otBtirC8rNtWwxAYy5hZmNIyyRfcvVPYqPiBZZd2FG4=; b=mdKWqfEByYL5qUnL6Yn06p0sCklGK8cCMwohXA+xKJr9QcSKffLY5zsnSVa/ZxE4IIypoCdLsI6mf/sqEoe9MZvK1K7xChXVSQg9zzgT/BPOZZGzP6djg0S+t0fz+NDGbR6cGuwHvyH5SJlE2rIuGl0E3+YjKrLswVMt4eLdzIiYiQi4ctfQXEoyNE+pbgDaJkpDb1PyM2BLdXsLXPEgV0fg8lncR9PIZWEEgk5ig223KzRQqhuJCfMW/rlYfly7kfaSyyxlGdrJTqVSRGCdNG6ldBj+PbwMfc4EaKOsnoPpj5WjfX0W8TAshwbEYu4frQsShFKuLCjKdtZyZezwmQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM (10.255.46.82) by YTBPR01MB3454.CANPRD01.PROD.OUTLOOK.COM (10.255.46.161) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.21; Sun, 15 Mar 2020 23:27:58 +0000 Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4]) by YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4%6]) with mapi id 15.20.2814.018; Sun, 15 Mar 2020 23:27:58 +0000 From: Rick Macklem To: Ronald Klop , "freebsd-current@FreeBSD.org" Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Thread-Topic: when does a server need to use SSL_CTX_set_client_CA_list()? Thread-Index: AQHV+Z9BqmBxwqP+PUqf7mEWx47LjahJ/1YAgABL3DI= Date: Sun, 15 Mar 2020 23:27:58 +0000 Message-ID: References: , In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 7dd0b60e-0db8-41d5-42ae-08d7c9387f28 x-ms-traffictypediagnostic: YTBPR01MB3454: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:5236; x-forefront-prvs: 0343AC1D30 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(366004)(346002)(136003)(376002)(39860400002)(396003)(199004)(76116006)(110136005)(8936002)(81156014)(81166006)(8676002)(5660300002)(71200400001)(33656002)(86362001)(7696005)(786003)(316002)(2906002)(186003)(66476007)(55016002)(64756008)(66446008)(66556008)(6506007)(66946007)(9686003)(966005)(478600001)(52536014); DIR:OUT; SFP:1101; SCL:1; SRVR:YTBPR01MB3454; H:YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: Um7ov9DMQBovuvfnfZetsY3JB8bYN6eziwDshbbFow9IHyhEYNnTtf+GJtuXOFYprtbI0jxGmd2Mvw/vRuxgIdvsVCRhGtFNoGZTmn+FcgURUsa7fonAtoyaXU+V8j2NbBJ8nPykFSCkadF707vtFUki2e1cCQ5yJE6D/LlS7ePVdlfst8HOb5CvMg2nSdxBxG4youbAwnmKxf/QkHNjxKJr33NedD3QCYTZUoiJfw55i9Kse1/hGLXjgvqtwttPFXWAUkn/wYCheRW305oa3cz9pRsSZvWAuZ5POyq32Qo3ebO/jRpsCm+q6zlNpZcQRU25azkuk8O8Sg97RGMOg85iZ+v7oTM91J1V/aTCjPpHX9+EEAN5g/2vcSVXisvLT0Pes4kqIIFH+qlzCEdhVJ/xw5NgTqRdnOdVR454v6XK+vQ92MfTWDat2paWZ1kQMcoDituTlCiNutLBUNbeabEUWceiX1pKrU9322CcsmovY3uX77MLUXPI5RWq65hspnBcWLPs+RtUe/qtlIHDdg== x-ms-exchange-antispam-messagedata: XtW8y6dzygQAAHIfw2t/PFlWJv5EuB+q5P2Kj/8NDlJJe/zYhP9NtE8g1YCHuFmsKq9tTq56K6V4xPgCQbNRmOpKEFHwOhbMv5AlR+MpX4Dx1UTV6fmCW+0pb1ov2QEHwJ8Q2IrNCN4lbzKgI3emP0rN29zQqmhULatkgGTos9pDm1L1qVHaPNKwJ7YGl1d00r0brHbL3qLGzaNfEE2Mqg== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 7dd0b60e-0db8-41d5-42ae-08d7c9387f28 X-MS-Exchange-CrossTenant-originalarrivaltime: 15 Mar 2020 23:27:58.4261 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: dwlCT7c13VLNBf6fW+9oiqwcmdarKjZPWr/IQsLfjAKzkFjZXUoG2rJlCkFwlqtJyOaT+qec/N96STvf+HzqvQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3454 X-Rspamd-Queue-Id: 48gbFr55XCz4SRN X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 2a01:111:f400:fe5c::616 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-3.72 / 15.00]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.99)[-0.988,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a01:111:f400::/48]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[uoguelph.ca]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCPT_COUNT_TWO(0.00)[2]; IP_SCORE(-1.43)[ipnet: 2a01:111:f000::/36(-4.00), asn: 8075(-3.10), country: US(-0.05)]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:8075, ipnet:2a01:111:f000::/36, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2020 23:28:03 -0000 Ronald Klop wrote:=0A= >On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem =0A= >wrote:=0A= >=0A= >> Hi,=0A= >>=0A= >> Since it is done in sample code, I have an option in the RPC-over-TLS=0A= >> server daemon that does the SSL_CTX_set_client_CA_list() call.=0A= >> When I test, I have not used this option and the code seems to work.=0A= >> Maybe this is because the client only has a single certificate?=0A= >>=0A= >> Here's the lame description I have in the man page for the option:=0A= >> .It Fl C Ar client_cafile=0A= >> If this option is specified, the server calls=0A= >> .Dq=0A= >> SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile''= ))=0A= >> during TLS context configuration.=0A= >> I do not know when this is needed, but it appears to be required for=0A= >> certain TLS configurations.=0A= >>=0A= >> Does someone know when this call is needed?=0A= >> Can you explain it? (Just about anything is better than the above;-)=0A= >>=0A= >=0A= >=0A= >grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches=0A= >(sendmail, wpa & unbound). Maybe that source gives a hint.=0A= Good point. I had looked at the s_server in openssl, but not the others.=0A= It looks like wpa and unbound do what I was thinking of and uses the=0A= CAfile argument for both SSL_CTX_load_verify_locations() and=0A= SSL_CTX_set_client_CA_list(SSL_load_client_CA_file()), setting CApath NULL= =0A= for SSL_CTX_load_verify_locations().=0A= =0A= Sendmail and the s_server.c in openssl pass both CAfile and CApath argument= s=0A= to SSL_CTX_load_verify_locations() and then uses the CAfile argument for=0A= SSL_CTX_set_client_CA_list(SSL_load_client_CA_file()).=0A= This means that SSL_CTX_set_client_CA_list() was only called for the CAfile= case=0A= and not the CApath case. (The SSL_CTX_load_verify_locations() man page note= s that=0A= the certificates in CApath are only loaded when verification is being done = and=0A= only when a certificate is not found in CAfile, but that doesn't seem to an= swer=0A= when/if CApath gets used. It is a directory of CA files, but why do it that= way=0A= instead of putting them all in a single CAfile?)=0A= =0A= As such, it stills seems to be a bit of a mystery to me, but it seems that = putting=0A= all the certificates in a CAfile and not using a CApath directory is the si= mpler=0A= way to go.=0A= =0A= I haven't yet decided whether or not I'll specify a command option for sett= ing=0A= CApath. Sendmail does. wpa and unboud don't?=0A= =0A= Thanks for the suggestion, rick=0A= =0A= Regard,=0A= =0A= Ronald.=0A= =0A= =0A= > Thanks, rick=0A= > _______________________________________________=0A= > freebsd-current@freebsd.org mailing list=0A= > https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= > To unsubscribe, send any mail to=0A= > "freebsd-current-unsubscribe@freebsd.org"=0A=