Return-Path: Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 13125 invoked by uid 500); 7 Jan 2003 10:16:53 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 13112 invoked from network); 7 Jan 2003 10:16:53 -0000 Date: Tue, 07 Jan 2003 19:17:02 +0900 (JST) Message-Id: <20030107.191702.110048220.t-sudou@ah.jp.nec.com> To: dev@httpd.apache.org Subject: mod_ssl(httpd-2.0.43) always skips a leading certificate of SSLCertificateChainFile From: Tadasuke SUDO X-Mailer: Mew version 2.2 on Emacs 20.7 / Mule 4.1 (AOI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N Hello, I encountered a problem that mod_ssl(httpd-2.0.43) always skips a leading certficate of SSLCertificateChainFile. So, I checked the source code of httpd-2.0.43, and I found the related codes in "ssl_engine_init.c". In a function "ssl_init_ctx_cert_chain()", a function "SSL_CTX_use_certificate_chain()" is invoked with some arguments - the third argument is a local boolean variable "skip_first". If skip_first is TRUE, SSL_CTX_use_certificate_chain() skips a leading certificate of SSLCertificateChainFile. Because ssl_init_ctx_cert_chain() initializes skip_first to TRUE and doesn't make it FALSE, skip_first is always TRUE. Therefore, a leading certificate of SSLCertficateChainFile is always skipped. I think skip_first should be initialized to FALSE. (Since mod_ssl-2.8.12-1.3.27 works fine, I checked its source code. There are similar codes, and skip_first is initialized to FALSE.) ---- Tadasuke SUDO