Gitweb:
http://git.exim.org/exim.git/commitdiff/a805c12a5067af2e00736d48000614afbc00d866
Commit: a805c12a5067af2e00736d48000614afbc00d866
Parent: c713ca4b4c4e9f668ddca5b332a386fac4ea5133
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Sep 21 17:59:44 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Thu Sep 25 18:39:25 2014 +0100
Amplify comment on server requests for client certificates
---
src/src/tls-openssl.c | 11 ++++++++++-
1 files changed, 10 insertions(+), 1 deletions(-)
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 7e424f4..cb2e94f 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -1377,7 +1377,16 @@ if (expcerts != NULL && *expcerts != '\0')
return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
/* Load the list of CAs for which we will accept certs, for sending
- to the client. XXX only for file source, not dir? */
+ to the client. This is only for the one-file tls_verify_certificates
+ variant.
+ If a list isn't loaded into the server, but
+ some verify locations are set, the server end appears to make
+ a wildcard reqest for client certs.
+ Meanwhile, the client library as deafult behaviour *ignores* the list
+ we send over the wire - see man SSL_CTX_set_client_cert_cb.
+ Because of this, and that the dir variant is likely only used for
+ the public-CA bundle (not for a private CA), not worth fixing.
+ */
if (file != NULL)
{
STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
