From owner-freebsd-current@freebsd.org Mon Mar 16 21:44:44 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id BA1A7270C64 for ; Mon, 16 Mar 2020 21:44:44 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) Received: from CAN01-QB1-obe.outbound.protection.outlook.com (mail-eopbgr660043.outbound.protection.outlook.com [40.107.66.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "mail.protection.outlook.com", Issuer "GlobalSign Organization Validation CA - SHA256 - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 48h8wB4HGkz4DFc for ; Mon, 16 Mar 2020 21:44:42 +0000 (UTC) (envelope-from rmacklem@uoguelph.ca) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=THKaTSNGZ7QI+Uww9MzwHp5cze6eQYH0MVK1CjZLUD88F0/nXni+SuhsP4AAkzxW/CV4/W/gIayWPp5yDARXFpAN4Xe+jlzPuvM8TJLJqgaCzgj1ewCFqMCCFclXtENyS3hZmG1hbxiBV4J08PReYprrvLALRUOQDdPKBElG3JeLYbA+b98QPQZ9ErnnjOxYNFDWSonbuIjlCAcgY1MvivDn3VqOgGBAJR4M2sfMMiHTPVsmLm6sFuJ21EvXfWuuLd3Q1qlDIu6XBDmmCmHf5gSPTg9xwqro4rlNEN2NVbxATtceu/Taek4aCt9677R2W40TMAN7BjMfUqsXgWUqVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=hIETBVl3k3NefPUUMFUya22lUxmJtjPFXPAFIc563iM=; b=Iv5+TzfWsXs9WZldw2KvbZl5LO1jmN2+oiF98jWz7I4fmGhXp3S+RCMubjl+ndFAcrWGBJL1yINc1QQogISsSjRmCYA/T0MNn1a8Ad9t3yBD6ZSUU/rbVMV3GHqqALVtrE/2uape+k4YKZBpUNC+xzyESHlP+++iM9G1amxVPtx/qXQ8p0lb6n9q27W4+kfk8+KQGN518BdIj/4NtkK1ybt+ZBvPnpuYd6CyR6cbrejUeRHXbfG8Erb6zRs8BSv8pChL/R3M847aTVexEsC5YE9vOfDyvG93esXYkwxPi2LhBM61vJjVAd05bqyxeW3bHz+z2u6C8BLBqH3amknWEQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=uoguelph.ca; dmarc=pass action=none header.from=uoguelph.ca; dkim=pass header.d=uoguelph.ca; arc=none Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM (10.255.46.82) by YTBPR01MB3502.CANPRD01.PROD.OUTLOOK.COM (10.255.46.86) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.2814.21; Mon, 16 Mar 2020 21:44:40 +0000 Received: from YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4]) by YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM ([fe80::a50d:6237:4074:f9c4%6]) with mapi id 15.20.2814.021; Mon, 16 Mar 2020 21:44:40 +0000 From: Rick Macklem To: Alexander Leidinger CC: Ronald Klop , "freebsd-current@FreeBSD.org" Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Thread-Topic: when does a server need to use SSL_CTX_set_client_CA_list()? Thread-Index: AQHV+9rU9owsQVvLs0u1H0PZkYY2cg== Date: Mon, 16 Mar 2020 21:44:40 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 898b09aa-d12b-4df5-a908-08d7c9f33b07 x-ms-traffictypediagnostic: YTBPR01MB3502: x-microsoft-antispam-prvs: x-ms-oob-tlc-oobclassifiers: OLM:765; x-forefront-prvs: 03449D5DD1 x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(39860400002)(346002)(376002)(366004)(396003)(136003)(199004)(2906002)(33656002)(4326008)(966005)(66946007)(478600001)(6916009)(64756008)(66556008)(66476007)(86362001)(66574012)(76116006)(91956017)(66446008)(26005)(316002)(6506007)(186003)(54906003)(5660300002)(7696005)(9686003)(8936002)(55016002)(8676002)(71200400001)(81156014)(52536014)(81166006)(786003); DIR:OUT; SFP:1101; SCL:1; SRVR:YTBPR01MB3502; H:YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; A:1; received-spf: None (protection.outlook.com: uoguelph.ca does not designate permitted sender hosts) x-ms-exchange-senderadcheck: 1 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: K6jh+Yn2HyvJBHub/BZni52+P94yoMwAh6iqXSKgveLjo2Xaow9uInp+0QDELaSjHsGGwExuzB82X6xsbOeFQcy+fH0Uxl99MSvklUw141hUhOrgREmEHPz5OyAvRT6GW7whDsvIVKR7hdubFjcy/ozuICneBhnuhJSNET5SuXnx0zjZEfLb5S8jDESrPVkRFyOjSRWj1VvfywsJI4YbDza0Qcxj04+n3q9Gad03aCwjo/d9YIxiaPvN+DxksYPTY14kf+/i0fglWNdsBXbToGKmvtede78htesnWIwA80jjbw0D1xZxLeQT9XbLPLurLOCPEr4kVvNiw1/VUV/Sj66Nt7eUff453zTp7vCFq3l3dhxItzwNEsmEzdGpx6y0//f1Tc/Co5OfuV6UI1QwuDdWb1eh+jlO38V3sedybmxfJ7GAGJsxkppFIGCHupf2lldGmd/VOfqTuLjaJyuiEslqOFrqDS+KKsrGSbvwRVJuZnaLbjovx1GyfHxgzcM+670CdPy1gw8L7E8m5js4vw== x-ms-exchange-antispam-messagedata: Fq0Fg+HE+63keMRYYvdN8SSudhbprhmALjKF6uWfdsJipjCdyvwpd3aKWmH7e2LPnJn/2Sdhhw7YrV2oHAL2MV3eIlFyGytPpqVi9H9WsYyNb/Xo4bx4N9csv+kQc4Dl6zvbLEK3OddI8oeKMaSHCg== x-ms-exchange-transport-forked: True Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: uoguelph.ca X-MS-Exchange-CrossTenant-Network-Message-Id: 898b09aa-d12b-4df5-a908-08d7c9f33b07 X-MS-Exchange-CrossTenant-originalarrivaltime: 16 Mar 2020 21:44:40.0388 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: be62a12b-2cad-49a1-a5fa-85f4f3156a7d X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: QPnrMVGw1WwrC5A19iGDyPRWoIeAQtmPXV1t/W2b9yNDrdnLbUNyHNJgL3n/+MhQ6RhYgN8sRKfZHgBbE8cvLg== X-MS-Exchange-Transport-CrossTenantHeadersStamped: YTBPR01MB3502 X-Rspamd-Queue-Id: 48h8wB4HGkz4DFc X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of rmacklem@uoguelph.ca designates 40.107.66.43 as permitted sender) smtp.mailfrom=rmacklem@uoguelph.ca X-Spamd-Result: default: False [-2.66 / 15.00]; FAKE_REPLY(1.00)[]; TO_DN_EQ_ADDR_SOME(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.976,0]; FROM_HAS_DN(0.00)[]; RCPT_COUNT_THREE(0.00)[3]; R_SPF_ALLOW(-0.20)[+ip4:40.107.0.0/16]; NEURAL_HAM_LONG(-1.00)[-0.999,0]; MIME_GOOD(-0.10)[text/plain]; MIME_TRACE(0.00)[0:+]; DMARC_NA(0.00)[uoguelph.ca]; TO_DN_SOME(0.00)[]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; RCVD_IN_DNSWL_NONE(0.00)[43.66.107.40.list.dnswl.org : 127.0.3.0]; RCVD_TLS_LAST(0.00)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; SUBJECT_ENDS_QUESTION(1.00)[]; ASN(0.00)[asn:8075, ipnet:40.64.0.0/10, country:US]; ARC_ALLOW(-1.00)[i=1]; IP_SCORE(-1.39)[ipnet: 40.64.0.0/10(-3.77), asn: 8075(-3.10), country: US(-0.05)] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 16 Mar 2020 21:44:44 -0000 Alexander Leidinger wrote:=0A= >Quoting Rick Macklem (from Sun, 15 Mar 2020=A0 =0A= >23:27:58 +0000):=0A= >=0A= >> As such, it stills seems to be a bit of a mystery to me, but it=A0 =0A= >> seems that putting=0A= >> all the certificates in a CAfile and not using a CApath directory is=A0 = =0A= >> the simpler=0A= >> way to go.=0A= >=0A= >If you have multiple CAs in the file, the code needs to search for one=A0 = =0A= >which matches. If you use the path, the code just needs to list the=A0 =0A= >directory and check the filename which matches the id of the CA-cert.=A0 = =0A= >On a recent -current system have where you've never run "certctl=A0 =0A= >rehash" have a look into /etc/ssl/certs, then run "certctl rehash",=A0 =0A= >and then check /etc/ssl/certs again to see what I mean.=0A= >=0A= >For a program which communicates with a lot of different systems which=A0 = =0A= >use different CAs (mailserver, browser), the path makes sense. For a=A0 = =0A= >NFS server I wouldn't configure all the Mozilla-accepted CAs. As such=A0 = =0A= >a CAfile may be enough, but having the possibility for both allows the=A0 = =0A= >user to chose which way he wants to configure his system (e.g. maybe=A0 = =0A= >he has just one CA in a directory, but for consistency reasons he=A0 =0A= >prefers to specify the path to be able to use one way to configure=A0 =0A= >things).=0A= >=0A= >You can do it either way, technically it doesn't matter. It makes=A0 =0A= >sense to have both possibilities (that would be my preference, to give=A0 = =0A= >the user the choice which way he wants to handle it). Having only the=A0 = =0A= >file-way would not be stupid (as you can see with wpa and unbound,=A0 =0A= >which are used in a similar way in this regard than one would use=A0 =0A= >NFS). Only the path-way would be less favorable in my opinion.=0A= Well, I can easily provide command line options for both CAfile and CApath.= =0A= The part that confuses me is that only CAfile gets used for:=0A= SSL_CTX_set_client_CA_list(SSL_load_CA_names(CAfile))=0A= in the examples I've found, so the CA list that goes to the client doesn't = seem=0A= to get set for the CApath case?=0A= As such, there does seem to be a technical difference between using CAfile = and=0A= CApath.=0A= =0A= And Garrett seems to indicate SSL_CTX_set_client_CA_LIST() should always be= done.=0A= =0A= Note that NFS will often (not always, that's a decision for the NFS admin) = want=0A= certificates from clients (something that a web server doesn't normally do)= .=0A= =0A= For now, I'll just provide both command line arguments, but note in the man= =0A= page that SSL_CTX_set_client_CA_list() is only done for CAfile.=0A= =0A= Thanks for your comments, rick=0A= =0A= > I haven't yet decided whether or not I'll specify a command option=A0 =0A= > for setting=0A= > CApath. Sendmail does. wpa and unboud don't?=0A= =0A= Sendmail needs to use more than one CA if it wants to validate=A0 =0A= connections from anyone, and it wants to do it in a performant way.=A0 =0A= WIFI and DNS typically only need one CA.=0A= =0A= Bye,=0A= Alexander.=0A= =0A= -- =0A= http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF=0A= http://www.FreeBSD.org=A0=A0=A0 netchild@FreeBSD.org=A0 : PGP 0x8F31830F9F2= 772BF=0A= =0A= =0A=