088ce43ffe
According to RFC5246 the server can indicate the known Certificate Authorities or can constrain the aurhorisation space by sending a certificate list. This part of the message is optional and if omitted, the client may send any certificate in the response. The previous behaviour of mbed TLS was to always send the name of all the CAs that are configured as root CAs. In certain cases this might cause usability and privacy issues for example: - If the list of the CA names is longer than the peers input buffer then the handshake will fail - If the configured CAs belong to third parties, this message gives away information on the relations to these third parties Therefore we introduce an option to suppress the CA list in the Certificate Request message. Providing this feature as a runtime option comes with a little cost in code size and advantages in maintenance and flexibility. |
||
|---|---|---|
| .. | ||
| mbedtls | ||
| .gitignore | ||
| CMakeLists.txt | ||