httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47329] New: SSLCADNRequest* & SSLCACertificate* documentation defficiency
Date Sun, 07 Jun 2009 14:13:55 GMT

           Summary: SSLCADNRequest* & SSLCACertificate* documentation
           Product: Apache httpd-2
           Version: 2.2.6
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl

Created an attachment (id=23770)
 --> (
Perl utility to create Client Request file from concatenated certificates

The documentation for SSLCADNRequest* (and probably the SSL HOWTO) should
indicate that TRUSTED certificates can not be used.

The documentation for SSLCACertificate* should indicate that while TRUSTED
certificates can be used for verification by the server, they will not be sent
to the client.

It turns out that my CA certificate is marked TRUSTED (e.g. begins with --BEGIN
TRUSTED CERTIFICATE).  mod_ssl is perfectly happy to accept such certificates,
but they are never sent to the client; openssl s_client will report "No
certificate names sent".  There is no warning in any of the logfiles; the
directive is silently ignored, although the files are read.

This is astoundingly confusing, since such certificates work perfectly well
with SSLCACertificate* - they work as expected!

I think this is a documentation defficiency, although one might argue (after a
lot of debugging) that a warning is deserved.

In general, I found the documentation of the SSL*Certificate* directives very
confusing because it is so terse.  It would be helpful to emphasize that:

SSLCertificate* define the server's certificate & it's authentication chain

SSLCACertificate* define the Client's certificate issuers that are acceptable
to the server.  Intermediate CAs are not required.

SSLCADNRequest* define the certificate issuers that the Client will be told to
select, and should include any Intermediate CAs.

I wrote a small perl script that will convert a file containing any number of
certificates into a format that's acceptable to SSLCADNRequestFile (and
openssl!).  It removes any trust from each certificate, and includes the
subject, issuer, and fingerprint as comments.  Perhaps it will be useful to
someone else - it's attached to this report.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message