Feature #2694

[PATCH] add support for ssl.cadn-file

Added by mackyle over 1 year ago. Updated 9 months ago.

Target version:
Start date:
Due date:
% Done:


Missing in 1.5.x:


If ssl.cadn-file is not set, fallback to

The ssl.cadn-file option provides independent control of
the "certificate_authorities" field (see RFC 5246 section
7.4.4 Certificate Request) separate from the actual list
of trusted certificate authorities used for client
certificate verification.

It may be necessary to send a hint that includes the DN
of a non-root client CA in order to receive the correct
certificate from the client, but such a non-root CA really
does not belong in the trusted client root CA list.

Patch file attached.

See also

0008-ssl-add-support-for-ssl.cadn-file_patch.txt View (4.49 KB) mackyle, 2015-12-03 23:02

0003-ssl-add-support-for-ssl.cadn-file_patch.txt View (4.47 KB) mackyle, 2016-03-26 20:58

ca-crl-1.4.41.patch View - Revocation list patch for version 1.4.41 (3.56 KB) flynn, 2016-08-02 09:35


#1 Updated by mackyle about 1 year ago

A recent change ([stat] mimetype.xattr-name global config option) broke this patch.

An updated patch is attached. The two preceding parts to this SSL series (#2693 and #2692) are not affected.

See also

#2 Updated by gstrauss 12 months ago

  • Category changed from core to TLS

#4 Updated by gstrauss 10 months ago

  • Assignee deleted (stbuehler)
  • Missing in 1.5.x deleted (Yes)

#5 Updated by flynn 9 months ago

I updated the patch for version 1.4.41.
Can this make it into version 1.4.42?

#6 Updated by gstrauss 9 months ago

Patches are much more likely to be included if there is someone with whom I can discuss the patches, and who can reliably test lighttpd once those patches have been applied (and before the patches are included in a lighttpd release).

mackyle had posted a few pull requests, including 62, 63, and 64
I left quite a few comments in but unfortunately got no response, and I am hesitant to spend time reviewing and maintaining drive-by patch dumps.

The patch you updated (above) is also submitted as a pull request at

Also available in: Atom