Yes, I need the "whitelist of client certificates" functionality. Currently, I can do this through CApath.

On Tue, Nov 12, 2024 at 8:12 PM Jochen Bern <Jochen.Bern@binect.de> wrote:
On 11.11.24 17:47, hshh wrote:
> For specific reasons, I cannot use CRLs and have to use CApath to
> verify peer certificates. These certificates are not CAs and now
> leak the CN of all certificates.

In other words, you effectively maintain a whitelist of *client*
certificates that shall be allowed to connect? Are those self-signed, or
just issued by an effectively defunct (since it apparently doesn't
maintain its CRL anymore) CA?

> I think when specifying both CAfile and CApath, 'Acceptable client
> certificate CA names' only needs to have CAfile.

Your problem is not CAfile vs. CApath but that TLS's way of a server
telling the client "you'll have to show me a client cert" goes on to say
"... and to pick one in your cert store that I'll accept, note that I'll
insist on it to have been issued by one of *these* [explicit list] CAs
[or *possibly* it being one of the listed ones *itself*, though I'm
tempted to call it a bug if that works]". Even if the server could
somehow be made to accept more CAs than it announces, chances are that
you'd have to write your own *client* to have it even *try* a client
cert that the server's list doesn't label as promising.

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH
_______________________________________________
stunnel-users mailing list -- stunnel-users@stunnel.org
To unsubscribe send an email to stunnel-users-leave@stunnel.org