> On Dec 2, 2018, at 7:38 PM, Charles Mills <charl...@mcn.org> wrote: > > I have an OpenSSL (v1.1.0f) server application that processes client > certificates. > > The doc for SSL_CTX_load_verify_locations() states “In server mode, when > requesting a client certificate, the server must send the list of CAs of > which it will accept client certificates. This list is not influenced by the > contents of CAfile or CApath and must explicitly be set using the > SSL_CTX_set_client_CA_list family of functions.” > > The application makes no calls to SSL_CTX_set_client_CA_list() yet receives > client certificates without errors. > > Can someone please explain the discrepancy. I’m especially wondering if I > have set a trap that will spring down the road: “yes it works, but if a user > does X then it will not work.”
The default list is empty. Some client implementations, IIRC Java's TLS stack or at least some Java TLS toolkits, will not use a client certificate unless the server's list is non-empty, and perhaps may also require that it include a CA name that matches an issuer of their certificate. Other clients have but one default certificate and use it regardless of the server's CA list. Your mileage may vary. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users