Date: Mon, 16 Mar 2020 21:44:40 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Alexander Leidinger <Alexander@leidinger.net> Cc: Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <YTBPR01MB3374DA21CE30531EF0B06883DDF90@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Alexander Leidinger wrote: >Quoting Rick Macklem <rmacklem@uoguelph.ca> (from Sun, 15 Mar 2020 >23:27:58 +0000): > >> As such, it stills seems to be a bit of a mystery to me, but it >> seems that putting >> all the certificates in a CAfile and not using a CApath directory is >> the simpler >> way to go. > >If you have multiple CAs in the file, the code needs to search for one >which matches. If you use the path, the code just needs to list the >directory and check the filename which matches the id of the CA-cert. >On a recent -current system have where you've never run "certctl >rehash" have a look into /etc/ssl/certs, then run "certctl rehash", >and then check /etc/ssl/certs again to see what I mean. > >For a program which communicates with a lot of different systems which >use different CAs (mailserver, browser), the path makes sense. For a >NFS server I wouldn't configure all the Mozilla-accepted CAs. As such >a CAfile may be enough, but having the possibility for both allows the >user to chose which way he wants to configure his system (e.g. maybe >he has just one CA in a directory, but for consistency reasons he >prefers to specify the path to be able to use one way to configure >things). > >You can do it either way, technically it doesn't matter. It makes >sense to have both possibilities (that would be my preference, to give >the user the choice which way he wants to handle it). Having only the >file-way would not be stupid (as you can see with wpa and unbound, >which are used in a similar way in this regard than one would use >NFS). Only the path-way would be less favorable in my opinion. Well, I can easily provide command line options for both CAfile and CApath. The part that confuses me is that only CAfile gets used for: SSL_CTX_set_client_CA_list(SSL_load_CA_names(CAfile)) in the examples I've found, so the CA list that goes to the client doesn't seem to get set for the CApath case? As such, there does seem to be a technical difference between using CAfile and CApath. And Garrett seems to indicate SSL_CTX_set_client_CA_LIST() should always be done. Note that NFS will often (not always, that's a decision for the NFS admin) want certificates from clients (something that a web server doesn't normally do). For now, I'll just provide both command line arguments, but note in the man page that SSL_CTX_set_client_CA_list() is only done for CAfile. Thanks for your comments, rick > I haven't yet decided whether or not I'll specify a command option > for setting > CApath. Sendmail does. wpa and unboud don't? Sendmail needs to use more than one CA if it wants to validate connections from anyone, and it wants to do it in a performant way. WIFI and DNS typically only need one CA. Bye, Alexander. -- http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF http://www.FreeBSD.org netchild@FreeBSD.org : PGP 0x8F31830F9F2772BF
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3374DA21CE30531EF0B06883DDF90>