From owner-freebsd-current@freebsd.org Sat Mar 14 01:28:24 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id E993A270A96 for ; Sat, 14 Mar 2020 01:28:24 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-TO1-obe.outbound.protection.outlook.com (mail-eopbgr670047.outbound.protection.outlook.com [40.107.67.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48fQ1g68hdz46fQ for ; Sat, 14 Mar 2020 01:28:23 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=jMxCn6CinyoUb/GzMf+ZMElc+SpImv5wWEiq+ya8DigrpP9I7Ir3Xw1rgW+rZzwJTZMbhhZ1BPTSb48NSLCo/KU9OcLUnCoGp0UIGSZtPYAYepR41q5st3+hAe+bPCuSKFbRcZh/3HsXez2vaBhmIVbzQ5Ha9aya7a6ZU/kOzLwYRjK3Dh3ASCqd9qHniw5mVNX8w4zO2Z+w4VKtCigu/YJW5ApoasehQ1/mQZERmGanvLGE3lFmZr2dYSQMF4o/3EqnxIFTcMdY1kKBhlRDatnuzgpOoDXR/JqxzpPbdEc2kbNZGMTfpwhRHWZJeG71eiaNyIRloiH/VMfgCe8WtA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ZYre3uJmCvkq6YV+cPt7EujBpgFYoJ1drFaoTXJAW+8=; b=NRfKU4bjiy67XFI2mDQxYTeQlPcmuOE/CtUD+4qDgxGtpOzjj7GVydiStHocrOGsALfuX3dyD4M8CCcNSrjQV+v9p6176J2+ot5OoiEymZKqdehRiw2gSL+tokRSjYUgJH7b1ty+OEvFz78NvWtPvvC9s+q4rkkoJe53g9sqd9ZBnpUHD6mbvYjg/kJPX0L79ggfENW+v+VYEzaAlcsltc4fWmIM+l+7F0Tu9H/JMBy2MyDIZ4EVSB5Th1LuPp0jD3FX2BwspICiQL4845b3pEllSUqt1yq7w4rinmAK/OphUDWjxY5168KQ2iNIgt22fJzhaF/AUDuQ/mIAUE2Mkg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM (10.255.46.82) by YTBPR01MB3807.CANPRD01.PROD.OUTLOOK.COM (10.255.46.221) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2793.16; Sat, 14 Mar 2020 01:28:22 +0000 Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4]) by YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4%6]) with mapi id 15.20.2814.018; Sat, 14 Mar 2020 01:28:22 +0000 From: Rick Macklem To: "freebsd-current@FreeBSD.org" Subject: when does a server need to use SSL_CTX_set_client_CA_list()? Thread-Topic: when does a server need to use SSL_CTX_set_client_CA_list()? Thread-Index: AQHV+Z9BqmBxwqP+PUqf7mEWx47LjQ== Date: Sat, 14 Mar 2020 01:28:22 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 576f8a9b-822f-4878-0bfb-08d7c7b6fc17 x-ms-traffictypediagnostic: YTBPR01MB3807: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:8882; x-forefront-prvs: 034215E98F x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(396003)(39860400002)(346002)(136003)(376002)(366004)(199004)(71200400001)(2906002)(478600001)(66446008)(55016002)(4744005)(64756008)(52536014)(6506007)(76116006)(66476007)(66946007)(5660300002)(66556008)(6916009)(8676002)(8936002)(86362001)(81156014)(33656002)(186003)(786003)(7696005)(316002)(9686003)(81166006); DIR:OUT; SFP:1101; SCL:1; SRVR:YTBPR01MB3807; H:YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: xT5dThgXwE2FPfrOZ6ik4/PdCOHDh4eu1W9iWsZJPN4OtgSqQFhf30yvowf92v1+MtgLp/f7WeeXwnpqhl7NMQigqRMXGUs/cRv54YRyBxVPDnkro8chw5IHtL6y+V1AnhKvwmtMwgRCCVJUKEx5dNjxw9/NENnooB59S36Srg+kNecGOCUglRXZ6hCbex9CSPZCM1ucFGWnwBsW431lieWMes2EKon/PqHT/UAr7tl7yEFa7bmtYCvPeP+9jiTDbksbdzS1hk2O3YeaL6R41NBiY2XCNN78oCwANkOEmrElgk7a86mcn/DLbNGX7xQKitv6Sk8NxCFypRvRh3HzlFmEa6VgSJ9PurzPrv0cPml2VYdMV4RGpj5bXC45UmUoLUOZZxc4raYPTE1m9YzyrHgnr1uKxxAdXy5efU6lkUl8cRLoc/8kBdkSkjpvmH4+ x-ms-exchange-antispam-messagedata: DeXbbAC2DUYnH6cAI07W40dEFjs1h6i9MYyC9sHkLFhcWrB8jy+xwIQP1o4dO4Le4POo0w7tISkCi58OScxLOHvsER7esHg1EflcwESm6rohnjPUYqcZChMkw2X4S5wDlqsLX7OdOr47Y0K1DS1JiggLdP6nLIctAwMwUpMtTwEw4RHX9A/v441Espi5rMwIsb+iLHKxlwb1sF0uczFfCw== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 576f8a9b-822f-4878-0bfb-08d7c7b6fc17 X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Mar 2020 01:28:22.2779 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LZTfxVnZGxo9+xFtl6MOd25F7hWKqDrUzBAxdJC0wYgCge8bGSuYF2Cv2UCrd1flDKIRbQzJNLyKhVvaEU6rLA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3807 X-Rspamd-Queue-Id: 48fQ1g68hdz46fQ X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.67.47 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-3.57 / 15.00]; RCVD_TLS_LAST(0.00)[]; NEURAL_HAM_MEDIUM(-0.88)[-0.882,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; DMARC_NA(0.00)[uoguelph.ca]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_THREE(0.00)[3]; IP_SCORE(-1.38)[ipnet: 40.64.0.0/10(-3.77), asn: 8075(-3.10), country: US(-0.05)]; RCVD_IN_DNSWL_NONE(0.00)[47.67.107.40.list.dnswl.org : 127.0.3.0]; TO_DN_EQ_ADDR_ALL(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; R_DKIM_NA(0.00)[]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; SUBJECT_ENDS_QUESTION(1.00)[]; ARC_ALLOW(-1.00)[i=1] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 01:28:25 -0000 Hi,=0A= =0A= Since it is done in sample code, I have an option in the RPC-over-TLS=0A= server daemon that does the SSL_CTX_set_client_CA_list() call.=0A= When I test, I have not used this option and the code seems to work.=0A= Maybe this is because the client only has a single certificate?=0A= =0A= Here's the lame description I have in the man page for the option:=0A= .It Fl C Ar client_cafile=0A= If this option is specified, the server calls=0A= .Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile'= '))=0A= during TLS context configuration.=0A= I do not know when this is needed, but it appears to be required for=0A= certain TLS configurations.=0A= =0A= Does someone know when this call is needed?=0A= Can you explain it? (Just about anything is better than the above;-)=0A= =0A= Thanks, rick=0A=