Am 23.05.2013 17:38, schrieb Olle E. Johansson:
Now, with old SSL/TLS the server requiring a client cert had to say
"I only accept client certs from these CA's". With TLS 1.x something
this was removed, which opens up a lot of new possibilities for
self-signed certs verified by other means, like with DANE
or the HTTP/PKI verification that is being worked on.
Unfortunately it's hard to require people to update their OpenSSL
or gnuTLS stack to get this, which means that there has to be
a small set of CAs used for client certs for this to work in a
federation, which stinks...
ISTR that sending an empty list has worked for a couple of years -- at
least between implementations using openssl. Haven't seen any problems
when we interop tested s2s (back in 2010).
