Skip to content

Should we be calling SSL_CTX_add_client_CA() always when a custom CA is set? #54787

New issue
New issue
Open
Open
Should we be calling SSL_CTX_add_client_CA() always when a custom CA is set?#54787
Labels
tlsIssues and PRs related to the tls subsystem.
@addaleax

Description

@addaleax
addaleax
opened on Sep 5, 2024

When specifying a ca option for TLS's createSecureContext(), we call SSL_CTX_add_client_CA() since the early days of TLS in Node.js: 2a61e1c

From the docs for that function:

In most cases it is not necessary to set CA names on the client side. The list of CA names that are acceptable to the client will be sent in plaintext to the server. This has privacy implications and may also have performance implications if the list is large. This optional capability was introduced as part of TLSv1.3 and therefore setting CA names on the client side will have no impact if that protocol version has been disabled. Most servers do not need this and so this should be avoided unless required.

@tniessen @nodejs/security-triage

Metadata

Metadata

Assignees

No one assigned

    Labels

    tlsIssues and PRs related to the tls subsystem.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions