git.librecmc.org Git - oweals/openssl.git/commit

author	Matt Caswell <matt@openssl.org>
	Fri, 26 Oct 2018 10:43:19 +0000 (11:43 +0100)
committer	Matt Caswell <matt@openssl.org>
	Mon, 12 Nov 2018 14:38:47 +0000 (14:38 +0000)
commit	b4970e8bf5eeebd5b318d1c4b9aa11a73d183458
tree	24db579e14964c293b3feb86febc95be90f3a6ba	tree \| snapshot
parent	02d3c6aecc646872af1286144ce8af0693a9f4e3	commit \| diff

Separate ca_names handling for client and server

SSL(_CTX)?_set_client_CA_list() was a server side only function in 1.1.0.
If it was called on the client side then it was ignored. In 1.1.1 it now
makes sense to have a CA list defined for both client and server (the
client now sends it the the TLSv1.3 certificate_authorities extension).
Unfortunately some applications were using the same SSL_CTX for both
clients and servers and this resulted in some client ClientHellos being
excessively large due to the number of certificate authorities being sent.

This commit seperates out the CA list updated by
SSL(_CTX)?_set_client_CA_list() and the more generic
SSL(_CTX)?_set0_CA_list(). This means that SSL(_CTX)?_set_client_CA_list()
still has no effect on the client side. If both CA lists are set then
SSL(_CTX)?_set_client_CA_list() takes priority.

Fixes #7411

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7503)

(cherry picked from commit 98732979001dbb59320803713c4c91ba40234250)

doc/man3/SSL_CTX_set0_CA_list.pod		diff \| blob \| history
doc/man3/SSL_CTX_set_client_CA_list.pod		diff \| blob \| history
ssl/ssl_cert.c		diff \| blob \| history
ssl/ssl_lib.c		diff \| blob \| history
ssl/ssl_locl.h		diff \| blob \| history
ssl/statem/extensions.c		diff \| blob \| history
ssl/statem/statem_lib.c		diff \| blob \| history
ssl/statem/statem_locl.h		diff \| blob \| history
ssl/statem/statem_srvr.c		diff \| blob \| history