Date: Sun, 15 Mar 2020 23:27:58 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <YTBPR01MB33745B4D14573F6D503C956EDDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> In-Reply-To: <op.0hi96u2bkndu52@sjakie> References: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>, <op.0hi96u2bkndu52@sjakie>
next in thread | previous in thread | raw e-mail | index | archive | help
Ronald Klop wrote:=0A= >On Sat, 14 Mar 2020 02:28:22 +0100, Rick Macklem <rmacklem@uoguelph.ca>=0A= >wrote:=0A= >=0A= >> Hi,=0A= >>=0A= >> Since it is done in sample code, I have an option in the RPC-over-TLS=0A= >> server daemon that does the SSL_CTX_set_client_CA_list() call.=0A= >> When I test, I have not used this option and the code seems to work.=0A= >> Maybe this is because the client only has a single certificate?=0A= >>=0A= >> Here's the lame description I have in the man page for the option:=0A= >> .It Fl C Ar client_cafile=0A= >> If this option is specified, the server calls=0A= >> .Dq=0A= >> SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile''= ))=0A= >> during TLS context configuration.=0A= >> I do not know when this is needed, but it appears to be required for=0A= >> certain TLS configurations.=0A= >>=0A= >> Does someone know when this call is needed?=0A= >> Can you explain it? (Just about anything is better than the above;-)=0A= >>=0A= >=0A= >=0A= >grep -r SSL_CTX_set_client_CA_list /usr/src/* gives a couple of matches=0A= >(sendmail, wpa & unbound). Maybe that source gives a hint.=0A= Good point. I had looked at the s_server in openssl, but not the others.=0A= It looks like wpa and unbound do what I was thinking of and uses the=0A= CAfile argument for both SSL_CTX_load_verify_locations() and=0A= SSL_CTX_set_client_CA_list(SSL_load_client_CA_file()), setting CApath NULL= =0A= for SSL_CTX_load_verify_locations().=0A= =0A= Sendmail and the s_server.c in openssl pass both CAfile and CApath argument= s=0A= to SSL_CTX_load_verify_locations() and then uses the CAfile argument for=0A= SSL_CTX_set_client_CA_list(SSL_load_client_CA_file()).=0A= This means that SSL_CTX_set_client_CA_list() was only called for the CAfile= case=0A= and not the CApath case. (The SSL_CTX_load_verify_locations() man page note= s that=0A= the certificates in CApath are only loaded when verification is being done = and=0A= only when a certificate is not found in CAfile, but that doesn't seem to an= swer=0A= when/if CApath gets used. It is a directory of CA files, but why do it that= way=0A= instead of putting them all in a single CAfile?)=0A= =0A= As such, it stills seems to be a bit of a mystery to me, but it seems that = putting=0A= all the certificates in a CAfile and not using a CApath directory is the si= mpler=0A= way to go.=0A= =0A= I haven't yet decided whether or not I'll specify a command option for sett= ing=0A= CApath. Sendmail does. wpa and unboud don't?=0A= =0A= Thanks for the suggestion, rick=0A= =0A= Regard,=0A= =0A= Ronald.=0A= =0A= =0A= > Thanks, rick=0A= > _______________________________________________=0A= > freebsd-current@freebsd.org mailing list=0A= > https://lists.freebsd.org/mailman/listinfo/freebsd-current=0A= > To unsubscribe, send any mail to=0A= > "freebsd-current-unsubscribe@freebsd.org"=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB33745B4D14573F6D503C956EDDF80>