On Fri, Mar 27, 2020 at 10:10:16PM +0000, Jeremy Harris wrote:
> >> A simple code addition to avoid that call in the client case sounds
> >> in order.
>
> Testing, it appears to work - I get resumption and not that error.
> And the Exim testsuite shows no regressions, at least on my laptop
> (which is Fedora 31, with 1.1.1d).
On a Fedora 31 system I also don't see those directives in the system
openssl.cnf or includes. Mind you, closer inspection of the code
suggests that in the config file also "RequestCAPath" and "ClientCAPath"
would result in setting the bidirectional CA list. But I don't find
those either.
> >>> Another possibility is that your system-wide openssl.cnf file has a
> >>> "RequestCAFile" or "ClientCAFile" setting.
> >>
> >> Neither appears to be present in /etc/pki/tls/openssl.cnf
> >
> > And neither has any ".include" directives?
So my best guess is that you were testing with approximately a stock
1.1.1 that predates 1.1.1a, modulo security fixes. Otherwise, it
is unclear how the client CA list (server -> client) ended up being
sent from client -> server.
--
Viktor.
