SSL_CTX_set_client_CA_list

[Sharon Hezy]

Hi everyone,   I’m trying to implement client authentication with OpenSSL client & server. Everything works fine: server asks for client’s certificate, gets it & verification successes too. The only problem is that I can’t make client to send to the server certificate that matches one of the names in server’s CA list (defined on the server side with SSL_CTX_set_client_CA_list()). What I want is that client will send certificate ONLY if it signed by one of server’s trusted CA’s (from the CA list), and, if the client doesn’t have certificate like that – he shouldn’t send anything. In fact, I’m getting a different behavior: client always sends its certificate, even if it signed by CA unknown to the server. From SSL_CTX_set_client_CA_list() documentation is seems to me that the behavior that I’m expecting is the right one, and the one I’m getting – is the wrong one. Does anybody know how to help me?   This is the relevant snippet of server code:   STACK_OF(X509_NAME) *cert_names = SSL_load_client_CA_file(CA_FILE); if (cert_names == NULL) {     printf("Couldn't load CA names from CA file: %s\n", CA_FILE);     exit(15); } else {     if (sk_X509_NAME_num(cert_names) > 0) {         printf("---Acceptable client certificate CA names\n");         for (int i=0; i<sk_X509_NAME_num(cert_names); i++) {             str = X509_NAME_oneline(sk_X509_NAME_value(cert_names,i), 0, 0);             printf ("\t Name #%d: %s\n", (i+1), str);             free (str);         }     }     SSL_CTX_set_client_CA_list(ctx, cert_names); } SSL_CTX_load_verify_locations(ctx, CA_FILE, CA_PATH); SSL_CTX_set_verify(ctx,SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, &verify_callback);     Any help will be very appreciated.   Thanks, Sharon Hezy.