We use SSLCACertificateFile for client auth and want send empty CA DN names list because SSLCACertificateFile very large and goto limit for CertificateRequest <0..2^16-1> (more info about it: https://github.com/openssl/openssl/issues/4819) rfc 5246, #section-7.4.4: certificate_authorities A list of the distinguished names [X501] of acceptable certificate_authorities, represented in DER-encoded format. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space. If the certificate_authorities list is empty, then the client MAY send any certificate of the appropriate ClientCertificateType, unless there is some external arrangement to the contrary. I think need add support empty SSLCADNRequestFile
With this same need, we managed to achieve having a empty CA list by commenting out line 873 in modules/ssl/ssl_engine_init.c /* SSL_CTX_set_client_CA_list(ctx, ca_list); */ Quite a bit of a hack. In HAProxy this is done by parameter "no-ca-names": https://cbonte.github.io/haproxy-dconv/1.8/configuration.html#5.1-no-ca-names It also achieves that by wrapping the same statement above in an "if". I believe this should also be added as a parameter in httpd.