I want to control the set of CA certificates available to authenticate
client certificates. AIUI I can use SSL_SetTrustAnchors() to do this but
it isn't working as I'd expect.
The code looks like:
CERTCertList * ca_list = CERT_NewCertList();
SSL_SetTrustAnchors(fd, ca_list); (returns SECSuccess)
.... rest of the handshake ...
So I'm setting it to an empty list which, as I understand it, no client
certs should be accepted. But I find that client certs are still
successful when client auth is required.
I'm testing using a CA which has two subordinate CA's, one for clients
and one for servers. All three CA's are trusted in my server database.
Am I doing this wrong or are my expectations wrong?
ro
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto