Stephen Henson wrote: > > My tests on Mozilla 1.2.1 show it tolerates an empty set and interprets > it as "any CA". Maybe thats NSS 3.6 because that's the version the > "Generic Crypto Services" HW version shows up as.
Hmm. The change that allowed empty CA name lists was rev 1.44 of ssl3con.c which first appeared in NSS 3.7. I wonder if mozilla used a snapshot of NSS that was made after the 3.6 release, but just before the 3.7 release. That would still show the number 3.6, even though it contained 3.7 features. But perhaps there's another explanation. Did you server send an empty list (zero length list)? Or did it perhaps send a list containing one zero-length name? That is, was the length of certificate_authorities zero? or was it (say) 3, and the length of the first DistinguishedName zero? I believe that NSS 3.6 allowed the latter but not the former. Zero length DistinguishedNames are not allowed by RFC 2246, but NSS 3.6 allowed them. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape