What is the difference between M2Crypto's set_client_CA_list_from_file() and load_verify_info() and when would you use each?

Question

The M2Crypto library has a few CA-related functions on its SSL.Context object, but the documentation is very unclear as to when you would use certain functions and why. In fact, the docs for almost all of them are, "Load CA certs into the context," so it seems possible that they all do the same thing.

There are several examples that use both set_client_CA_list_from_file() and load_verify_info(), but there are also other similar functions like load_client_ca() and load_verify_locations().

I am writing both client and server pieces. What functions should I use and why? What specifically do they do?

Edit:

Looking through the code I see:

# Deprecated.
load_client_CA = load_client_ca = set_client_CA_list_from_file

and

# Deprecated.
load_verify_info = load_verify_locations

So that helps a little. This brings us down to two functions: set_client_CA_list_from_file() and load_verify_locations(). But I still can't quite tell the difference between the two.

Answer 1

If your server requires the client to present a certificate, it can restrict who are the valid issuers of the client certificates by specifying the issuers calling set_client_CA_list_from_file. This is actually pretty rare.

The client specifies who are the valid server certificate issuers by calling load_verify_locations. Almost all clients should do this.

Both client and server can call load_cert to set their own certificate. Servers should almost always do this. Clients should probably do this only if the server requires the client to present a certificate.

I recommend you pick a copy of Network Security with OpenSSL by John Viega, Matt Messier and Pravir Chandra, ISBN 059600270X, which should clarify these issues in more detail.