httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Plüm, Rüdiger, VF-Group" <ruediger.pl...@vodafone.com>
Subject RE: Certificate chain order not conform to TLS standard
Date Thu, 13 Aug 2009 09:06:57 GMT
 

> -----Original Message-----
> From: Peter Sylvester [mailto:peter.sylvester@edelweb.fr] 
> Sent: Donnerstag, 13. August 2009 10:51
> To: dev@httpd.apache.org
> Subject: Re: Certificate chain order not conform to TLS standard
> 
> Plüm, Rüdiger, VF-Group wrote:
> >  
> >
> >   
> >> -----Original Message-----
> >> From: Nick Gearls [mailto:nickgearls@gmail.com] 
> >> Sent: Donnerstag, 13. August 2009 08:51
> >> To: dev@httpd.apache.org
> >> Subject: Re: Certificate chain order not conform to TLS standard
> >>
> >> I tried both order:
> >>
> >> 	 SSLCertificateFile       conf/ssl/server.pem
> >> 	 SSLCertificateChainFile  conf/ssl/chain.pem
> >>
> >> where server.pem contains both the cert and the private key,
> >> and chain.pem contains either CA/root or root/CA
> >>     
> >
> > Don't put the root cert in the chain file, only the 
> intermediate certs.
> >
> >
> > Regards
> >
> > Rüdiger
> >   
> leaving the a self signed root should not be a problem:
> 
>      This is a sequence (chain) of X.509v3 certificates.  The sender's
>       certificate must come first in the list.  Each following
>       certificate must directly certify the one preceding it.  Because
>       certificate validation requires that root keys be distributed
>       independently, the self-signed certificate that 
> specifies the root
>       certificate authority may optionally be omitted from the chain,
> 

Right, but as far as I remember there are some picky SSL clients that
puke if it is present. I am not saying that the behaviour of these clients
is correct. Thus I said don't put it in :-)


Regards

Rüdiger
 

Mime
View raw message