On 26/11/2018 20:04, Viktor Dukhovni wrote:
On Nov 26, 2018, at 11:33 AM, Jakob Bohm via openssl-users <openssl-users@xxxxxxxxxxx> wrote:
In TLS 1.2 and older it was an extension "Trusted CA Indication" (3),
defined in RFC6066 Chapter 6.
So I would suggest that any OpenSSL API to control that feature in
TLS 1.3 also affects the matching TLS < 1.3 functionality, and is
separated from the APIs that control the TLS server sending a list
of client certificate CAs to clients.
This aspect was somehow missed in a recent discussion of this TLS 1.3
behavior (which I cannot find right now).
Thanks for the update. I guess OpenSSL never implemented RFC6066.
I am not sure that support this in TLS 1.2 is worth adding, but you
have a valid of principle. If it were added, it should use the same
API that supports the equivalent feature in TLS 1.3 in OpenSSL 1.1.1a.
Just to clarify: RFC6066 is the main RFC for basic TLS extensions,
with chapters defining such things as SNI, and OCSP stapling.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
