httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1)" <>
Subject RE: mod_ssl(httpd-2.0.43) always skips a leading certificate of S SLCertificateChainFile
Date Tue, 07 Jan 2003 19:16:45 GMT
Yep.. The older logic was initializing the bSkipFirst = FALSE. Although I
haven't tested the fix, the logic seems to be broken b/w r1.69 and r1.70
(unless it was done deliberately)

$ cvs log ssl_engine_init.c
revision 1.70
date: 2002/03/28 01:07:20;  author: dougm;  state: Exp;  lines: +52 -40
break out certificate chain initialization into
ssl_init_cert_chain function 


>-----Original Message-----
>From: Tadasuke SUDO []
>Sent: Tuesday, January 07, 2003 2:17 AM
>Subject: mod_ssl(httpd-2.0.43) always skips a leading certificate of
>I encountered a problem that mod_ssl(httpd-2.0.43) always skips
>a leading certficate of SSLCertificateChainFile.
>So, I checked the source code of httpd-2.0.43, and I found the related
>codes in "ssl_engine_init.c".  In a function
>"ssl_init_ctx_cert_chain()", a function
>"SSL_CTX_use_certificate_chain()" is invoked with some arguments - the
>third argument is a local boolean variable "skip_first".  If
>skip_first is TRUE, SSL_CTX_use_certificate_chain() skips a leading
>certificate of SSLCertificateChainFile.  Because
>ssl_init_ctx_cert_chain() initializes skip_first to TRUE and doesn't
>make it FALSE, skip_first is always TRUE.  Therefore, a leading
>certificate of SSLCertficateChainFile is always skipped.
>I think skip_first should be initialized to FALSE.
>(Since mod_ssl-2.8.12-1.3.27 works fine,
> I checked its source code.  There are similar codes, and
> skip_first is initialized to FALSE.)
>Tadasuke SUDO

View raw message