Fix wrong information with respect to CAs listed to the client
(follows from technical discussion with Amit Chopra <amitc@pspl.co.in>).
This commit is contained in:
parent
d349c5f8fd
commit
26c329cd84
2 changed files with 21 additions and 17 deletions
|
@ -33,10 +33,6 @@ which can be used e.g. for descriptions of the certificates.
|
|||
The B<CAfile> is processed on execution of the SSL_CTX_load_verify_locations()
|
||||
function.
|
||||
|
||||
If on an TLS/SSL server no special setting is performed using *client_CA_list()
|
||||
functions, the certificates contained in B<CAfile> are listed to the client
|
||||
as available CAs during the TLS/SSL handshake.
|
||||
|
||||
If B<CApath> is not NULL, it points to a directory containing CA certificates
|
||||
in PEM format. The files each contain one CA certificate. The files are
|
||||
looked up by the CA subject name hash value, which must hence be available.
|
||||
|
@ -50,9 +46,6 @@ The certificates in B<CApath> are only looked up when required, e.g. when
|
|||
building the certificate chain or when actually performing the verification
|
||||
of a peer certificate.
|
||||
|
||||
On a server, the certificates in B<CApath> are not listed as available
|
||||
CA certificates to a client during a TLS/SSL handshake.
|
||||
|
||||
When looking up CA certificates, the OpenSSL library will first search the
|
||||
certificates in B<CAfile>, then those in B<CApath>. Certificate matching
|
||||
is done based on the subject name, the key identifier (if present), and the
|
||||
|
@ -62,6 +55,13 @@ matching the parameters is found, the verification process will be performed;
|
|||
no other certificates for the same parameters will be searched in case of
|
||||
failure.
|
||||
|
||||
In server mode, when requesting a client certificate, the server must send
|
||||
the list of CAs of which it will accept client certificates. This list
|
||||
is not influenced by the contents of B<CAfile> or B<CApath> and must
|
||||
explicitely be set using the
|
||||
L<SSL_CTX_set_client_CA_list(3)|SSL_CTX_set_client_CA_list(3)>
|
||||
family of functions.
|
||||
|
||||
When building its own certificate chain, an OpenSSL client/server will
|
||||
try to fill in missing certificates from B<CAfile>/B<CApath>, if the
|
||||
certificate chain was not explicitly specified (see
|
||||
|
|
|
@ -36,25 +36,23 @@ the chosen B<ssl>, overriding the setting valid for B<ssl>'s SSL_CTX object.
|
|||
|
||||
When a TLS/SSL server requests a client certificate (see
|
||||
B<SSL_CTX_set_verify_options()>), it sends a list of CAs, for which
|
||||
it will accept certificates, to the client. If no special list is provided,
|
||||
the CAs available using the B<CAfile> option in
|
||||
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
|
||||
are sent.
|
||||
it will accept certificates, to the client.
|
||||
|
||||
This list can be explicitly set using the SSL_CTX_set_client_CA_list() for
|
||||
This list must explicitly be set using SSL_CTX_set_client_CA_list() for
|
||||
B<ctx> and SSL_set_client_CA_list() for the specific B<ssl>. The list
|
||||
specified overrides the previous setting. The CAs listed do not become
|
||||
trusted (B<list> only contains the names, not the complete certificates); use
|
||||
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
|
||||
to additionally load them for verification.
|
||||
|
||||
If the list of acceptable CAs is compiled in a file, the
|
||||
L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
|
||||
function can be used to help importing the necessary data.
|
||||
|
||||
SSL_CTX_add_client_CA() and SSL_add_client_CA() can be used to add additional
|
||||
items the list of client CAs. If no list was specified before using
|
||||
SSL_CTX_set_client_CA_list() or SSL_set_client_CA_list(), a new client
|
||||
CA list for B<ctx> or B<ssl> (as appropriate) is opened. The CAs implicitly
|
||||
specified using
|
||||
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
|
||||
are no longer used automatically.
|
||||
CA list for B<ctx> or B<ssl> (as appropriate) is opened.
|
||||
|
||||
These functions are only useful for TLS/SSL servers.
|
||||
|
||||
|
@ -80,11 +78,17 @@ to find out the reason.
|
|||
|
||||
=back
|
||||
|
||||
=head1 EXAMPLES
|
||||
|
||||
Scan all certificates in B<CAfile> and list them as acceptable CAs:
|
||||
|
||||
SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
|
||||
|
||||
=head1 SEE ALSO
|
||||
|
||||
L<ssl(3)|ssl(3)>,
|
||||
L<SSL_get_client_CA_list(3)|SSL_get_client_CA_list(3)>,
|
||||
L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>
|
||||
L<SSL_load_client_CA_file(3)|SSL_load_client_CA_file(3)>,
|
||||
L<SSL_CTX_load_verify_locations(3)|SSL_CTX_load_verify_locations(3)>
|
||||
|
||||
=cut
|
||||
|
|
Loading…
Reference in a new issue