The names of the CAs accepted are already supposed to be sent as part of the
negotiation. It wasn't until after TLSv1.0 that the spec permitted a wildcard
CA name list.
This kind of information-leakage being a vulnerability also depends on the
application being authentication-naive. A web ap
Hello,
if we do SSL/TSL client authentication, the current OpenSSL 1.0.0d
verifies the client certificate
upon reception of the Client Certificate message.
Let's consider I want to find out whether the server trusts a certain
CA I as an attacker am planning
to compromise. I would send some certif