Date: Mon, 16 Mar 2020 09:19:40 +0100 From: Alexander Leidinger <Alexander@leidinger.net> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: Ronald Klop <ronald-lists@klop.ws>, freebsd-current@freebsd.org Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <20200316091940.Horde.16mziiZfZLwd2x3zuIke061@webmail.leidinger.net> In-Reply-To: <YTBPR01MB33745B4D14573F6D503C956EDDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> References: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <op.0hi96u2bkndu52@sjakie> <YTBPR01MB33745B4D14573F6D503C956EDDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] Quoting Rick Macklem <rmacklem@uoguelph.ca> (from Sun, 15 Mar 2020 23:27:58 +0000): > As such, it stills seems to be a bit of a mystery to me, but it > seems that putting > all the certificates in a CAfile and not using a CApath directory is > the simpler > way to go. If you have multiple CAs in the file, the code needs to search for one which matches. If you use the path, the code just needs to list the directory and check the filename which matches the id of the CA-cert. On a recent -current system have where you've never run "certctl rehash" have a look into /etc/ssl/certs, then run "certctl rehash", and then check /etc/ssl/certs again to see what I mean. For a program which communicates with a lot of different systems which use different CAs (mailserver, browser), the path makes sense. For a NFS server I wouldn't configure all the Mozilla-accepted CAs. As such a CAfile may be enough, but having the possibility for both allows the user to chose which way he wants to configure his system (e.g. maybe he has just one CA in a directory, but for consistency reasons he prefers to specify the path to be able to use one way to configure things). You can do it either way, technically it doesn't matter. It makes sense to have both possibilities (that would be my preference, to give the user the choice which way he wants to handle it). Having only the file-way would not be stupid (as you can see with wpa and unbound, which are used in a similar way in this regard than one would use NFS). Only the path-way would be less favorable in my opinion. > I haven't yet decided whether or not I'll specify a command option > for setting > CApath. Sendmail does. wpa and unboud don't? Sendmail needs to use more than one CA if it wants to validate connections from anyone, and it wants to do it in a performant way. WIFI and DNS typically only need one CA. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF [-- Attachment #2 --] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJebzacAAoJEBINsJsD+NiGyDMP/RYTDvwDKNqGDGl+I25+JRNd gGQkjTse/+F+9RIElG4z8id2tsCN8tQiHK0kinFxUNorPO830qLIVL821K2428ZG AHvnKi9BdReLloqEkvnNUZtfLbrNNxX3mE7eVV6ZQVCHgNRSuU6Tj+3ZFOL7cZci 7mmgsCNyTeYNWob4r6r1/lLx4NnfGYsX8Y5Tfj69/mFdZ/zM2p/RoxuOr77m44p+ gZGisJgQk0pv7Iq6RzphdJW1Bk7k6JtKZzwoExsvL2rxNJltP5LEJps+o9i8lDtv NfVtXu3MSU8kXZCrXleYHubZc9DMWY2pNCk7J88sbmQyqrURW6fSJuLoStWM+R99 pwOENqggdAmpebOKa/OuKIu1AW2HeGQq+gl4sskrkRcpSx/aBavmC43dReDcoXL2 eXXJuYdoGOnmg/d/VmPKBiCXM/PTutaDFEQrFBkEiFWdwpKwRoTZTAs3M7TZ5gvP 8xYfkp8+Jj71lEoVtbioNaA7tRwnG2vyjCPVxKtIsYoSNBDL1ft2bG8h0Q/ftUkb RkwgJQ/BeGT/K0s8hbsjIGTNR6qdSbiQ3zr0iYmsgUG+I3G5deb3ZwSokFJGKgWZ aSy0lm/RodSuk/R6GFFNCQuncIlT18KHptM0p2jmsJVHUzBZiUnhGUjTqQ6akfZ4 fXdWpVwndf9NWeThl4z7 =aFLJ -----END PGP SIGNATURE-----help
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200316091940.Horde.16mziiZfZLwd2x3zuIke061>