sock.get_client_ca_list() returns empty result on an F5 server

[feenes]

I try to get the list of client CAs, that a server allows.

with openssl I can call:
openssl s_client -connect hostname:443 -servername hostname and I can see the CAs after the lines

---
Acceptable client certificate CA names

for most servers I succeed with following code, that I borrowed from stackoverflow

import socket
from OpenSSL import SSL

def get_client_cert_cas(hostname, port):
    ctx = SSL.Context(SSL.SSLv23_METHOD)
    sock = SSL.Connection(ctx, socket.socket(socket.AF_INET, socket.SOCK_STREAM))
    # next line for SNI
    sock.set_tlsext_host_name(hostname.encode("utf-8"))
    sock.connect((hostname, port))
    sock.send(b"G")  # must send at least one byte
    return sock.get_client_ca_list())

For some servers (F5) however I always get an empty answer. Though the openssl command returns the correct information.

The sending of "G" is a little strange as is already mentioned in the stackoverflow article.

Is it a bug if I don't receive the correct CAs for given F5 servers or is above code wrong?

[feenes]

Probably the reason is TLS1.3 Created a new issue #1010 and closed this one.