> On Mar 29, 2019, at 11:18 PM, Phil Pennock via Exim-users <exim-users@???> wrote:
>
> With OpenSSL, as Jeremy hints at: the behaviour depends entirely upon
> whether you provide the library with "a file containing all valid certs"
> or "a directory within which we can look for files matching a hash of
> the certs".
Actually, it is likely not so much OpenSSL behaviour as such, but rather
the most common application practice, which obviates the need for a
separately configurable parameter to set the list of advertised CAs.
The relevant OpenSSL functions are:
SSL_load_client_CA_file()
SSL_CTX_set_client_CA_list()
The first extracts a list of subject DNs from a file with CA certs,
and the second configures that stack as the list of CAs to advertise.
Many appliations, including Postfix, and likely Exim just use the same
CA file used for client certificate verification as the list of CAs
to advertise. But this is not set in stone, other choices are available,
including using an empty stack.
Note however, that some clients (notably Java) will not send a client
certificate unless the list of CAs sent is non-empty, and IIRC also
includes the trust-anchor that issued the client cert. Thus sending
no CAs or a partial list might suppress client cert use in some clients.
> If you give OpenSSL a file, then it advertises them all to the client.
As explained above, this is not automatic. The OpenSSL application
chooses the file separately from the file with trusted CAs, but many
just always use the same file.
> If you give OpenSSL a directory (processed with c_rehash or equivalent)
> then it advertises none to the client, but can verify them all.
This is the common work-around, but one can also simply use a smaller
file with just the desired issuers.
--
Viktor.
