|Summary:||Configure mod_ssl for send empty distinguished names list|
|Product:||Apache httpd-2||Reporter:||Aleksandr <aleksgrv>|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
Description Aleksandr 2017-12-26 07:00:47 UTC
We use SSLCACertificateFile for client auth and want send empty CA DN names list because SSLCACertificateFile very large and goto limit for CertificateRequest <0..2^16-1> (more info about it: https://github.com/openssl/openssl/issues/4819) rfc 5246, #section-7.4.4: certificate_authorities A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. I think need add support empty SSLCADNRequestFile
Comment 1 Emerson Gomes 2019-02-11 21:11:28 UTC
With this same need, we managed to achieve having a empty CA list by commenting out line 873 in modules/ssl/ssl_engine_init.c /* SSL_CTX_set_client_CA_list(ctx, ca_list); */ Quite a bit of a hack. In HAProxy this is done by parameter "no-ca-names": https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-no-ca-names It also achieves that by wrapping the same statement above in an "if". I believe this should also be added as a parameter in httpd.