Bug 61929

Summary: Configure mod_ssl for send empty distinguished names list
Product: Apache httpd-2 Reporter: Aleksandr <aleksgrv>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 2.4.23   
Target Milestone: ---   
Hardware: PC   
OS: All   

Description Aleksandr 2017-12-26 07:00:47 UTC 
We use SSLCACertificateFile for client auth and want send empty  CA DN names list because SSLCACertificateFile very large and goto limit for CertificateRequest <0..2^16-1> (more info about it: https://github.com/openssl/openssl/issues/4819)

rfc 5246, #section-7.4.4:

 certificate_authorities
      A list of the distinguished names [X501] of acceptable
      certificate_authorities, represented in DER-encoded format.  These
      distinguished names may specify a desired distinguished name for a
      root CA or for a subordinate CA; thus, this message can be used to
      describe known roots as well as a desired authorization space.  If
      the certificate_authorities list is empty, then the client MAY
      send any certificate of the appropriate ClientCertificateType,
      unless there is some external arrangement to the contrary.


I think need add support empty SSLCADNRequestFile
Comment 1 Emerson Gomes 2019-02-11 21:11:28 UTC 
With this same need, we managed to achieve having a empty CA list by commenting out line 873 in modules/ssl/ssl_engine_init.c

/*  SSL_CTX_set_client_CA_list(ctx, ca_list); */

Quite a bit of a hack.

In HAProxy this is done by parameter "no-ca-names":
https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-no-ca-names

It also achieves that by wrapping the same statement above in an "if".

I believe this should also be added as a parameter in httpd.