From: kovan <xaum.io@gmail.com>
Date: Sat, 7 Feb 2026 17:02:41 +0000 (+0100)
Subject: doc: document SSL_set_client_CA_list NULL behavior
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f92ed8f003c37feb6c469be338646a54148e3bd3;p=thirdparty%2Fopenssl.git

doc: document SSL_set_client_CA_list NULL behavior

Document that passing NULL to SSL_set_client_CA_list() does not clear
the CA list; instead, the SSL_CTX's setting is used. Also note that
passing an empty stack created with sk_X509_NAME_new_null() clears the
per-connection client CA list, but during the handshake the generic CA
list (set via SSL_CTX_set0_CA_list()) may still be used as a fallback.

Fixes #10795

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
MergeDate: Wed Feb 11 20:02:47 2026
(Merged from https://github.com/openssl/openssl/pull/29917)
---

diff --git a/doc/man3/SSL_CTX_set0_CA_list.pod b/doc/man3/SSL_CTX_set0_CA_list.pod
index 64e8117f923..0f82ee5d971 100644
--- a/doc/man3/SSL_CTX_set0_CA_list.pod
+++ b/doc/man3/SSL_CTX_set0_CA_list.pod
@@ -70,6 +70,11 @@ SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
 requesting a client certificate for the chosen B<ssl>, overriding the
 setting valid for B<ssl>'s SSL_CTX object. Ownership of B<list> is transferred
 to B<s> and it should not be freed by the caller.
+Note that passing NULL for B<list> does not clear the CA list; instead, the
+setting from B<ssl>'s SSL_CTX object will be used. Note also that passing an
+empty stack created with sk_X509_NAME_new_null() will clear the per-connection
+client CA list, but during the handshake the generic CA list (set via
+L<SSL_CTX_set0_CA_list(3)>) may still be used as a fallback.
 
 SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
 B<ctx> using SSL_CTX_set_client_CA_list(). The returned list should not be freed