On 11.11.24 17:47, hshh wrote:
For specific reasons, I cannot use CRLs and have to use CApath to verify peer certificates. These certificates are not CAs and now leak the CN of all certificates.
In other words, you effectively maintain a whitelist of *client* certificates that shall be allowed to connect? Are those self-signed, or just issued by an effectively defunct (since it apparently doesn't maintain its CRL anymore) CA?
I think when specifying both CAfile and CApath, 'Acceptable client certificate CA names' only needs to have CAfile.
Your problem is not CAfile vs. CApath but that TLS's way of a server telling the client "you'll have to show me a client cert" goes on to say "... and to pick one in your cert store that I'll accept, note that I'll insist on it to have been issued by one of *these* [explicit list] CAs [or *possibly* it being one of the listed ones *itself*, though I'm tempted to call it a bug if that works]". Even if the server could somehow be made to accept more CAs than it announces, chances are that you'd have to write your own *client* to have it even *try* a client cert that the server's list doesn't label as promising.
Kind regards,