diff options
| author | Matt Caswell <matt@openssl.org> | 2018-10-26 12:43:19 +0200 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-11-12 15:29:02 +0100 |
| commit | 98732979001dbb59320803713c4c91ba40234250 (patch) | |
| tree | 692c033035843ed07030ec5be0e99a14dd9cb9df /doc | |
| parent | Test use of a brainpool ECDSA certificate (diff) | |
| download | openssl-98732979001dbb59320803713c4c91ba40234250.tar.xz openssl-98732979001dbb59320803713c4c91ba40234250.zip | |
Separate ca_names handling for client and server
SSL(_CTX)?_set_client_CA_list() was a server side only function in 1.1.0.
If it was called on the client side then it was ignored. In 1.1.1 it now
makes sense to have a CA list defined for both client and server (the
client now sends it the the TLSv1.3 certificate_authorities extension).
Unfortunately some applications were using the same SSL_CTX for both
clients and servers and this resulted in some client ClientHellos being
excessively large due to the number of certificate authorities being sent.
This commit seperates out the CA list updated by
SSL(_CTX)?_set_client_CA_list() and the more generic
SSL(_CTX)?_set0_CA_list(). This means that SSL(_CTX)?_set_client_CA_list()
still has no effect on the client side. If both CA lists are set then
SSL(_CTX)?_set_client_CA_list() takes priority.
Fixes #7411
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7503)
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/man3/SSL_CTX_set0_CA_list.pod | 5 | ||||
| -rw-r--r-- | doc/man3/SSL_CTX_set_client_CA_list.pod | 5 |
2 files changed, 9 insertions, 1 deletions
diff --git a/doc/man3/SSL_CTX_set0_CA_list.pod b/doc/man3/SSL_CTX_set0_CA_list.pod index 618bd73e04..37a4cee9ca 100644 --- a/doc/man3/SSL_CTX_set0_CA_list.pod +++ b/doc/man3/SSL_CTX_set0_CA_list.pod @@ -48,7 +48,10 @@ has sent. =head1 NOTES These functions are generalised versions of the client authentication -CA list functions such as L<SSL_CTX_set_client_CA_list(3)>. +CA list functions such as L<SSL_CTX_set_client_CA_list(3)>. If both these +and L<SSL_CTX_set_client_CA_list(3)> or similar functions are used, then the +latter functions take priority on the server side (they are ignored on the +client side). For TLS versions before 1.3 the list of CA names is only sent from the server to client when requesting a client certificate. So any list of CA names set diff --git a/doc/man3/SSL_CTX_set_client_CA_list.pod b/doc/man3/SSL_CTX_set_client_CA_list.pod index 76fd65e6fc..e23999aaae 100644 --- a/doc/man3/SSL_CTX_set_client_CA_list.pod +++ b/doc/man3/SSL_CTX_set_client_CA_list.pod @@ -34,6 +34,11 @@ the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object. =head1 NOTES +These functions are similar to L<SSL_CTX_set0_CA_list(3)> and similar functions +but only have an effect on the server side. These functions are present for +backwards compatibility. L<SSL_CTX_set0_CA_list(3)> and similar functions should +be used in preference. + When a TLS/SSL server requests a client certificate (see B<SSL_CTX_set_verify(3)>), it sends a list of CAs, for which it will accept certificates, to the client. |