Date: Mon, 16 Mar 2020 21:44:40 +0000 From: Rick Macklem <rmacklem@uoguelph.ca> To: Alexander Leidinger <Alexander@leidinger.net> Cc: Ronald Klop <ronald-lists@klop.ws>, "freebsd-current@FreeBSD.org" <freebsd-current@FreeBSD.org> Subject: Re: when does a server need to use SSL_CTX_set_client_CA_list()? Message-ID: <YTBPR01MB3374DA21CE30531EF0B06883DDF90@YTBPR01MB3374.CANPRD01.PROD.OUTLOOK.COM>
next in thread | raw e-mail | index | archive | help
Alexander Leidinger wrote:=0A= >Quoting Rick Macklem <rmacklem@uoguelph.ca> (from Sun, 15 Mar 2020=A0 =0A= >23:27:58 +0000):=0A= >=0A= >> As such, it stills seems to be a bit of a mystery to me, but it=A0 =0A= >> seems that putting=0A= >> all the certificates in a CAfile and not using a CApath directory is=A0 = =0A= >> the simpler=0A= >> way to go.=0A= >=0A= >If you have multiple CAs in the file, the code needs to search for one=A0 = =0A= >which matches. If you use the path, the code just needs to list the=A0 =0A= >directory and check the filename which matches the id of the CA-cert.=A0 = =0A= >On a recent -current system have where you've never run "certctl=A0 =0A= >rehash" have a look into /etc/ssl/certs, then run "certctl rehash",=A0 =0A= >and then check /etc/ssl/certs again to see what I mean.=0A= >=0A= >For a program which communicates with a lot of different systems which=A0 = =0A= >use different CAs (mailserver, browser), the path makes sense. For a=A0 = =0A= >NFS server I wouldn't configure all the Mozilla-accepted CAs. As such=A0 = =0A= >a CAfile may be enough, but having the possibility for both allows the=A0 = =0A= >user to chose which way he wants to configure his system (e.g. maybe=A0 = =0A= >he has just one CA in a directory, but for consistency reasons he=A0 =0A= >prefers to specify the path to be able to use one way to configure=A0 =0A= >things).=0A= >=0A= >You can do it either way, technically it doesn't matter. It makes=A0 =0A= >sense to have both possibilities (that would be my preference, to give=A0 = =0A= >the user the choice which way he wants to handle it). Having only the=A0 = =0A= >file-way would not be stupid (as you can see with wpa and unbound,=A0 =0A= >which are used in a similar way in this regard than one would use=A0 =0A= >NFS). Only the path-way would be less favorable in my opinion.=0A= Well, I can easily provide command line options for both CAfile and CApath.= =0A= The part that confuses me is that only CAfile gets used for:=0A= SSL_CTX_set_client_CA_list(SSL_load_CA_names(CAfile))=0A= in the examples I've found, so the CA list that goes to the client doesn't = seem=0A= to get set for the CApath case?=0A= As such, there does seem to be a technical difference between using CAfile = and=0A= CApath.=0A= =0A= And Garrett seems to indicate SSL_CTX_set_client_CA_LIST() should always be= done.=0A= =0A= Note that NFS will often (not always, that's a decision for the NFS admin) = want=0A= certificates from clients (something that a web server doesn't normally do)= .=0A= =0A= For now, I'll just provide both command line arguments, but note in the man= =0A= page that SSL_CTX_set_client_CA_list() is only done for CAfile.=0A= =0A= Thanks for your comments, rick=0A= =0A= > I haven't yet decided whether or not I'll specify a command option=A0 =0A= > for setting=0A= > CApath. Sendmail does. wpa and unboud don't?=0A= =0A= Sendmail needs to use more than one CA if it wants to validate=A0 =0A= connections from anyone, and it wants to do it in a performant way.=A0 =0A= WIFI and DNS typically only need one CA.=0A= =0A= Bye,=0A= Alexander.=0A= =0A= -- =0A= http://www.Leidinger.net Alexander@Leidinger.net: PGP 0x8F31830F9F2772BF=0A= http://www.FreeBSD.org=A0=A0=A0 netchild@FreeBSD.org=A0 : PGP 0x8F31830F9F2= 772BF=0A= =0A= =0A=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?YTBPR01MB3374DA21CE30531EF0B06883DDF90>