doc: document SSL_set_client_CA_list NULL behavior

Document that passing NULL to SSL_set_client_CA_list() does not clear
the CA list; instead, the SSL_CTX's setting is used. Also note that
passing an empty stack created with sk_X509_NAME_new_null() clears the
per-connection client CA list, but during the handshake the generic CA
list (set via SSL_CTX_set0_CA_list()) may still be used as a fallback.

Fixes #10795

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Feb 11 20:02:47 2026
(Merged from https://github.com/openssl/openssl/pull/29917)

diff --git a/doc/man3/SSL_CTX_set0_CA_list.pod b/doc/man3/SSL_CTX_set0_CA_list.pod
index 64e8117f923614c7ce34aa825ad8c007a70c035f..0f82ee5d971344c4aff075218ec18b29ef063ef3 100644 (file)
--- a/doc/man3/SSL_CTX_set0_CA_list.pod
+++ b/doc/man3/SSL_CTX_set0_CA_list.pod
@@ -70,6 +70,11 @@ SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
 requesting a client certificate for the chosen B<ssl>, overriding the
 setting valid for B<ssl>'s SSL_CTX object. Ownership of B<list> is transferred
 to B<s> and it should not be freed by the caller.
+Note that passing NULL for B<list> does not clear the CA list; instead, the
+setting from B<ssl>'s SSL_CTX object will be used. Note also that passing an
+empty stack created with sk_X509_NAME_new_null() will clear the per-connection
+client CA list, but during the handshake the generic CA list (set via
+L<SSL_CTX_set0_CA_list(3)>) may still be used as a fallback.
 
 SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
 B<ctx> using SSL_CTX_set_client_CA_list(). The returned list should not be freed