On Fri, 2018-06-08 at 14:18 +0200, Daniel Stenberg wrote:
> The file name passed in with --cacert is set to the OpenSSL function
> SSL_CTX_load_verify_locations, and unfortunately the documentation for this
> function is very sparse on details on what it does when a client certificate
> is used:
> https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_load_verify_locations.html

I would like to reproduce the issue with openssl s_client and just forward this
whole issue to the openssl group.

> I think that feels like the correct way to do it. I think we should consider
> ammending the --cert documentation to mention the case with intermediate
> certs.

Yes, or just allow multiple --cert, which doesn't currently work.

> Can you please suggest wording for our docs that you think would clarify and
> help the next user who falls into the same problem as you did here?

I can't suggest a working for --cacert as I don't actually now what it does,
regarding that even the openssl documentation is weak about it as you say.

I just know...

> > So I would propose to change --cacert to this behaviour and add some
> > --certchain to explicitly add more certificates of the trust chain.

> But why?

...that --cacert should not change the list of client certs but only the CA db
used for validation.

Having multiple --cert or a merged cert file is also not that correct, as there
is always only one client cert, or maybe multiple client certs if available. The
rest like in my case are CA certs, just used to sign the client cert, required
for validation. Therefore I suggested to add those to something new like
--certchain, similar to the Qt methods. However I'm not completely sure if those
Qt methods do what I expect them to do..

Best regards,
Massimo
-----------------------------------------------------------
Unsubscribe: https://cool.haxx.se/list/listinfo/curl-users
Etiquette: https://curl.haxx.se/mail/etiquette.html
Received on 2018-06-08