Hi Viktor, Thanks a lot for your detailed response and the suggestion. I am going to implement it and let you know. I really appreciate your quick feedback on my request. Thank you and best regards Olivier
On Wed, Jan 19, 2022 at 5:49 PM Viktor Dukhovni <[email protected]> wrote: > On Wed, Jan 19, 2022 at 05:21:27PM +0100, Olivier Germain via > openssl-users wrote: > > > We have a requirement to implement the Distinguished Name in the > response > > received by the client. Hopefully I am ok. > > More accurately, you're being asked to send a suitable non-empty list of > "Distinguished Names" in server "certificate request" extensions, when > soliciting client certificates. This can be necessary to, e.g., solicit > client certificates from Java applications, which select the certificate > to use based on the names suggested by the server. > > > How can I set in my SSL code the value for the distinguished Name? > > Something along the lines of the below, which extracts the subject > DNs from a PEM file with trusted issuer (root CA) certificates: > > if (CAfile) { > STACK_OF(X509_NAME) *calist = SSL_load_client_CA_file(CAfile); > > if (calist != NULL) > SSL_CTX_set_client_CA_list(ctx, calist); > } > > The operator of the server should be able to configure a file of trusted > client cert issuers separately from the default list of trusted issuers. > This would ideally hold just one or a few CAs actually used to issue > client certificates trusted by the server in question. > > Note the documented ownership transfer: > > SSL_CTX_set_client_CA_list() sets the list of CAs sent to the client > when requesting a client certificate for ctx. Ownership of list is > transferred to ctx and it should not be freed by the caller. > > There are other ways to construct a stack of CA X.509 names, but loading > them from a PEM file of CA certs is typically the simplest option. > > -- > Viktor. > -- Olivier GERMAIN TIBCO Support TIBCO software 18, rue du 4 Septembre 75002 Paris, France Mobile : +33 6 45 30 23 31
