Openssl: "No server certificate CA names sent" message is confusing
speed% openssl version OpenSSL 1.1.1b 26 Feb 2019
I ran openssl server as follows:
speed% openssl s_server -port 29999 -CAfile ca.crt -verify 1 -cert server.pem
I then attempted to connect to this server from my client. The server produced the following output in its terminal:
verify depth is 1 Using default temp DH parameters ACCEPT -----BEGIN SSL SESSION PARAMETERS----- MH4CAQECAgMEBAITAgQgGg71gUjGt2LGFJrCZZVsZpRtIEG4KAX/jtXDHu3X6J0E MO61KEPzOh/yfnWJlsSde8DE6L9PETpav7n1BoStU6TYVZArmMKye/WOfvE2fByr 2KEGAgRc9u4wogQCAhwgpAYEBAEAAACuBwIFAIPYu9Q= -----END SSL SESSION PARAMETERS----- Shared ciphers:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224:DSA+SHA224:DSA+SHA256:DSA+SHA384:DSA+SHA512 Shared Signature Algorithms: ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA512:Ed25519:Ed448:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA-PSS+SHA256:RSA-PSS+SHA384:RSA-PSS+SHA512:RSA+SHA256:RSA+SHA384:RSA+SHA512:ECDSA+SHA224:RSA+SHA224 Supported Elliptic Groups: X25519:P-256:X448:P-521:P-384 Shared Elliptic groups: X25519:P-256:X448:P-521:P-384 --- No server certificate CA names sent CIPHER is TLS_AES_256_GCM_SHA384 Secure Renegotiation IS supported ERROR shutting down SSL CONNECTION CLOSED
This issue is with respect to No server certificate CA names sent message. What does it mean? Searching the internet for this message seems to yield as a general description of what happened, "something related to openssl was not correctly configured".
- Is this an error or a status message? Since the server produced it, is this a reference to the client not supplying some important information, or a note that the server is not going to send certificate CA names to the client?
- According to the internet this seems like an error message. But it is produced by the server side (
openssl s_server) and it is complaining about a server certificate - is this the server complaining about itself? - Was a certificate not provided, or was a certificate provided but was missing a name? Which name? Common name? OU? Issuer?
- How can a user diagnose and resolve the condition that led to this message/error being printed, assuming this indicates an error?
p-mongo
All 3 comments
Yeah, I agree it is quite confusing. I had to go figure out what it actually means. It's a status message - not an error.
It was introduced as part of #3015 and is related to TLSv1.3 support. #3015 adds the ability for a client to send a list of acceptable CA names to the server. It's explained in more details here:
https://www.openssl.org/docs/man1.1.1/man3/SSL_get0_peer_CA_list.html
That document actually actively discourages a client setting a list of acceptable CA names "in most cases", so it would actually be unusual to see anything other than this message.
The message itself is quite misleading anyway - especially where it says "server". What it actually means is "The client did not send a list of certificate CA names that are acceptable for the server to respond with"! In the case where a client doesn't send this list (which is the normal case) we just assume that any CA name is acceptable.
The extension that this relates to is available in TLSv1.2, but is used for a server to tell a client which CA names are acceptable in any client certificate if client auth is used. The same code for printing this message is also used on the client side (and existed prior to OpenSSL 1.1.1) but there the message would be "No client certificate CA names sent".
I'd be tempted to suppress this message on the server side when the list is empty, since almost all of the time it would be. Could be a good first issue for someone to tackle.
mattcaswell
on 5 Jun 2019
Hi, I'd like to get involved and found this issue while looking for good first issues. Can I take it up?
wbrawner
on 23 Aug 2019
@wbrawner - please do!
mattcaswell
on 27 Aug 2019
Related issues
Legends
路
3Comments
vishal307
路
3Comments
evqna
路
4Comments
nmtitov
路
3Comments
hymie0
路
4Comments
Most helpful comment
Yeah, I agree it is quite confusing. I had to go figure out what it actually means. It's a status message - not an error.
It was introduced as part of #3015 and is related to TLSv1.3 support. #3015 adds the ability for a client to send a list of acceptable CA names to the server. It's explained in more details here:
https://www.openssl.org/docs/man1.1.1/man3/SSL_get0_peer_CA_list.html
That document actually actively discourages a client setting a list of acceptable CA names "in most cases", so it would actually be unusual to see anything other than this message.
The message itself is quite misleading anyway - especially where it says "server". What it actually means is "The client did not send a list of certificate CA names that are acceptable for the server to respond with"! In the case where a client doesn't send this list (which is the normal case) we just assume that any CA name is acceptable.
The extension that this relates to is available in TLSv1.2, but is used for a server to tell a client which CA names are acceptable in any client certificate if client auth is used. The same code for printing this message is also used on the client side (and existed prior to OpenSSL 1.1.1) but there the message would be "No client certificate CA names sent".
I'd be tempted to suppress this message on the server side when the list is empty, since almost all of the time it would be. Could be a good first issue for someone to tackle.