Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Should we be calling SSL_CTX_add_client_CA() always when a custom CA is set? #54787

Open
addaleax opened this issue Sep 5, 2024 · 0 comments
Open

Should we be calling SSL_CTX_add_client_CA() always when a custom CA is set? #54787

addaleax opened this issue Sep 5, 2024 · 0 comments
Labels
tls Issues and PRs related to the tls subsystem.

Comments

@addaleax
Copy link
Member

addaleax commented Sep 5, 2024

When specifying a ca option for TLS's createSecureContext(), we call SSL_CTX_add_client_CA() since the early days of TLS in Node.js: 2a61e1c

From the docs for that function:

In most cases it is not necessary to set CA names on the client side. The list of CA names that are acceptable to the client will be sent in plaintext to the server. This has privacy implications and may also have performance implications if the list is large. This optional capability was introduced as part of TLSv1.3 and therefore setting CA names on the client side will have no impact if that protocol version has been disabled. Most servers do not need this and so this should be avoided unless required.

@tniessen @nodejs/security-triage
@addaleax addaleax added the tls Issues and PRs related to the tls subsystem. label Sep 5, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
tls Issues and PRs related to the tls subsystem.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@addaleax