Bug 61929 - Configure mod_ssl for send empty distinguished names list
Summary: Configure mod_ssl for send empty distinguished names list
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_ssl (show other bugs)
Version: 2.4.23
Hardware: PC All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
Depends on:
Reported: 2017-12-26 07:00 UTC by Aleksandr
Modified: 2019-02-11 21:11 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr 2017-12-26 07:00:47 UTC
We use SSLCACertificateFile for client auth and want send empty  CA DN names list because SSLCACertificateFile very large and goto limit for CertificateRequest <0..2^16-1> (more info about it: https://github.com/openssl/openssl/issues/4819)

rfc 5246, #section-7.4.4:

      A list of the distinguished names [X501] of acceptable
      certificate_authorities, represented in DER-encoded format.  These
      distinguished names may specify a desired distinguished name for a
      root CA or for a subordinate CA; thus, this message can be used to
      describe known roots as well as a desired authorization space.  If
      the certificate_authorities list is empty, then the client MAY
      send any certificate of the appropriate ClientCertificateType,
      unless there is some external arrangement to the contrary.

I think need add support empty SSLCADNRequestFile
Comment 1 Emerson Gomes 2019-02-11 21:11:28 UTC
With this same need, we managed to achieve having a empty CA list by commenting out line 873 in modules/ssl/ssl_engine_init.c

/*  SSL_CTX_set_client_CA_list(ctx, ca_list); */

Quite a bit of a hack.

In HAProxy this is done by parameter "no-ca-names":

It also achieves that by wrapping the same statement above in an "if".

I believe this should also be added as a parameter in httpd.