Commit f92ed8f003 for openssl.org

commit f92ed8f003c37feb6c469be338646a54148e3bd3
Author: kovan <xaum.io@gmail.com>
Date:   Sat Feb 7 18:02:41 2026 +0100

    doc: document SSL_set_client_CA_list NULL behavior

    Document that passing NULL to SSL_set_client_CA_list() does not clear
    the CA list; instead, the SSL_CTX's setting is used. Also note that
    passing an empty stack created with sk_X509_NAME_new_null() clears the
    per-connection client CA list, but during the handshake the generic CA
    list (set via SSL_CTX_set0_CA_list()) may still be used as a fallback.

    Fixes #10795

    Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

    Reviewed-by: Neil Horman <nhorman@openssl.org>
    Reviewed-by: Frederik Wedel-Heinen <fwh.openssl@gmail.com>
    MergeDate: Wed Feb 11 20:02:47 2026
    (Merged from https://github.com/openssl/openssl/pull/29917)

diff --git a/doc/man3/SSL_CTX_set0_CA_list.pod b/doc/man3/SSL_CTX_set0_CA_list.pod
index 64e8117f92..0f82ee5d97 100644
--- a/doc/man3/SSL_CTX_set0_CA_list.pod
+++ b/doc/man3/SSL_CTX_set0_CA_list.pod
@@ -70,6 +70,11 @@ SSL_set_client_CA_list() sets the B<list> of CAs sent to the client when
 requesting a client certificate for the chosen B<ssl>, overriding the
 setting valid for B<ssl>'s SSL_CTX object. Ownership of B<list> is transferred
 to B<s> and it should not be freed by the caller.
+Note that passing NULL for B<list> does not clear the CA list; instead, the
+setting from B<ssl>'s SSL_CTX object will be used. Note also that passing an
+empty stack created with sk_X509_NAME_new_null() will clear the per-connection
+client CA list, but during the handshake the generic CA list (set via
+L<SSL_CTX_set0_CA_list(3)>) may still be used as a fallback.

 SSL_CTX_get_client_CA_list() returns the list of client CAs explicitly set for
 B<ctx> using SSL_CTX_set_client_CA_list(). The returned list should not be freed