Date: Sat, 14 Mar 2020 01:28:22 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Hi,=0A= =0A= Since it is done in sample code, I have an option in the RPC-over-TLS=0A= server daemon that does the SSL_CTX_set_client_CA_list() call.=0A= When I test, I have not used this option and the code seems to work.=0A= Maybe this is because the client only has a single certificate?=0A= =0A= Here's the lame description I have in the man page for the option:=0A= .It Fl C Ar client_cafile=0A= If this option is specified, the server calls=0A= .Dq SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(``client_cafile'= '))=0A= during TLS context configuration.=0A= I do not know when this is needed, but it appears to be required for=0A= certain TLS configurations.=0A= =0A= Does someone know when this call is needed?=0A= Can you explain it? (Just about anything is better than the above;-)=0A= =0A= Thanks, rick=0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0>