Date: Mon, 16 Mar 2020 09:19:40 +0100 From: Alexander Leidinger <Alexander@leidinger.net> To: Rick Macklem <rmacklem@uoguelph.ca> Cc: Ronald Klop <ronald-lists@klop.ws>, freebsd-current@freebsd.org Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <20200316091940.Horde.16mziiZfZLwd2x3zuIke061@webmail.leidinger.net> In-Reply-To: <YTBPR01MB33745B4D14573F6D503C956EDDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> References: <YTBPR01MB3374B1E0DE58EC15AA4E1143DDFB0@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM> <op.0hi96u2bkndu52@sjakie> <YTBPR01MB33745B4D14573F6D503C956EDDF80@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
next in thread | previous in thread | raw e-mail | index | archive | help
This message is in MIME format and has been PGP signed. --=_JFcTW89M6Xtr5SY4ANXEc3O Content-Type: text/plain; charset=utf-8; format=flowed; DelSp=Yes Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Quoting Rick Macklem <rmacklem@uoguelph.ca> (from Sun, 15 Mar 2020=20=20 23:27:58=20+0000): > As such, it stills seems to be a bit of a mystery to me, but it=20=20 >=20seems that putting > all the certificates in a CAfile and not using a CApath directory is=20= =20 >=20the simpler > way to go. If you have multiple CAs in the file, the code needs to search for one=20= =20 which=20matches. If you use the path, the code just needs to list the=20=20 directory=20and check the filename which matches the id of the CA-cert.=20= =20 On=20a recent -current system have where you've never run "certctl=20=20 rehash"=20have a look into /etc/ssl/certs, then run "certctl rehash",=20=20 and=20then check /etc/ssl/certs again to see what I mean. For a program which communicates with a lot of different systems which=20= =20 use=20different CAs (mailserver, browser), the path makes sense. For a=20= =20 NFS=20server I wouldn't configure all the Mozilla-accepted CAs. As such=20= =20 a=20CAfile may be enough, but having the possibility for both allows the=20= =20 user=20to chose which way he wants to configure his system (e.g. maybe=20= =20 he=20has just one CA in a directory, but for consistency reasons he=20=20 prefers=20to specify the path to be able to use one way to configure=20=20 things). You=20can do it either way, technically it doesn't matter. It makes=20=20 sense=20to have both possibilities (that would be my preference, to give=20= =20 the=20user the choice which way he wants to handle it). Having only the=20= =20 file-way=20would not be stupid (as you can see with wpa and unbound,=20=20 which=20are used in a similar way in this regard than one would use=20=20 NFS).=20Only the path-way would be less favorable in my opinion. > I haven't yet decided whether or not I'll specify a command option=20=20 >=20for setting > CApath. Sendmail does. wpa and unboud don't? Sendmail needs to use more than one CA if it wants to validate=20=20 connections=20from anyone, and it wants to do it in a performant way.=20=20 WIFI=20and DNS typically only need one CA. Bye, Alexander. --=20 http://www.Leidinger.net=20Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF --=_JFcTW89M6Xtr5SY4ANXEc3O Content-Type: application/pgp-signature Content-Description: Digitale PGP-Signatur Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJebzacAAoJEBINsJsD+NiGyDMP/RYTDvwDKNqGDGl+I25+JRNd gGQkjTse/+F+9RIElG4z8id2tsCN8tQiHK0kinFxUNorPO830qLIVL821K2428ZG AHvnKi9BdReLloqEkvnNUZtfLbrNNxX3mE7eVV6ZQVCHgNRSuU6Tj+3ZFOL7cZci 7mmgsCNyTeYNWob4r6r1/lLx4NnfGYsX8Y5Tfj69/mFdZ/zM2p/RoxuOr77m44p+ gZGisJgQk0pv7Iq6RzphdJW1Bk7k6JtKZzwoExsvL2rxNJltP5LEJps+o9i8lDtv NfVtXu3MSU8kXZCrXleYHubZc9DMWY2pNCk7J88sbmQyqrURW6fSJuLoStWM+R99 pwOENqggdAmpebOKa/OuKIu1AW2HeGQq+gl4sskrkRcpSx/aBavmC43dReDcoXL2 eXXJuYdoGOnmg/d/VmPKBiCXM/PTutaDFEQrFBkEiFWdwpKwRoTZTAs3M7TZ5gvP 8xYfkp8+Jj71lEoVtbioNaA7tRwnG2vyjCPVxKtIsYoSNBDL1ft2bG8h0Q/ftUkb RkwgJQ/BeGT/K0s8hbsjIGTNR6qdSbiQ3zr0iYmsgUG+I3G5deb3ZwSokFJGKgWZ aSy0lm/RodSuk/R6GFFNCQuncIlT18KHptM0p2jmsJVHUzBZiUnhGUjTqQ6akfZ4 fXdWpVwndf9NWeThl4z7 =aFLJ -----END PGP SIGNATURE----- --=_JFcTW89M6Xtr5SY4ANXEc3O--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200316091940.Horde.16mziiZfZLwd2x3zuIke061>