On Fri, Jan 03, 2020, Benjamin Kaduk via openssl-users wrote: > On Sun, Nov 24, 2019 at 12:05:34PM +0100, Claus Assmann wrote: > > Seems it is impossible to override the list with NULL for SSL, as > > the code will then use the list from CTX (if my limited understanding > > Is this intentional? The man pages says: > Yes. Then it would be nice to document this in the man page by adding some text based on this: > You should be able to set a "zero-length list" (which is a non-NULL pointer > value) in order to get your desired behavior. to it, e.g., SSL_set_client_CA_list() sets the list of CAs sent to the client when requesting a client certificate for the chosen ssl, overriding the setting valid for ssl's SSL_CTX object. Note: to clear the CA list an empty stack must be passed as argument (not NULL), e.g., STACK_OF(X509_NAME) *certs; certs = sk_X509_NAME_new_null(); /* handle NULL result */ SSL_CTX_set_client_CA_list(ssl, certs ; I did a brief test and it seems to work, thanks!
