Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 82842 invoked from network); 13 Aug 2009 06:51:12 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 13 Aug 2009 06:51:12 -0000 Received: (qmail 2810 invoked by uid 500); 13 Aug 2009 06:51:18 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 2729 invoked by uid 500); 13 Aug 2009 06:51:18 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 2720 invoked by uid 99); 13 Aug 2009 06:51:18 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Aug 2009 06:51:18 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of nickgearls@gmail.com designates 209.85.219.216 as permitted sender) Received: from [209.85.219.216] (HELO mail-ew0-f216.google.com) (209.85.219.216) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 13 Aug 2009 06:51:07 +0000 Received: by ewy12 with SMTP id 12so551407ewy.24 for ; Wed, 12 Aug 2009 23:50:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :content-type:content-transfer-encoding; bh=LIFQ1dqX487McfZrgGDkhye01w2PFNpWrC2uWETJy3w=; b=FvjFJoPWElhU8pUdDQeNuYN474IYmwOpvzA3fzK14RkDIdWUk2lpACk96zleM4hj59 dqo/LKrgzazY7S7iiy9age15bG2mAW45E2QCZMami9xONGyH2gr2VyvId9iKfi0do60X 1AE0tjfE7hLMgroJRzPteHIJ4Ya4tt5oiXXAY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:content-type:content-transfer-encoding; b=lpJyJhJ9eyJBxBIoaVJO6BSF+SJpEXlJ+p2ze9Ym+JvpN4lp2EMsdlrrj0EDo3qaUm wFrudnT3admosohgtE3glEIZoPUg7ie7FtzUsVRF2ZO6fj5Bc807QPDYpuj2saftyEmU qJ5Ei7Cj/BGIxTFelvOKBjMTgdL6hPtFQo0hs= Received: by 10.210.19.7 with SMTP id 7mr3505020ebs.52.1250146247505; Wed, 12 Aug 2009 23:50:47 -0700 (PDT) Received: from ?127.0.0.1? (caron.approach.be [217.64.248.146]) by mx.google.com with ESMTPS id 10sm558219eyd.35.2009.08.12.23.50.46 (version=TLSv1/SSLv3 cipher=RC4-MD5); Wed, 12 Aug 2009 23:50:47 -0700 (PDT) Message-ID: <4A83B7C5.603@gmail.com> Date: Thu, 13 Aug 2009 08:50:45 +0200 From: Nick Gearls User-Agent: Thunderbird 2.0.0.22 (Windows/20090605) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: Certificate chain order not conform to TLS standard References: <4A82D243.20209@gmail.com> <99EA83DCDE961346AFA9B5EC33FEC08B0293E5CF@VF-MBX11.internal.vodafone.com> In-Reply-To: <99EA83DCDE961346AFA9B5EC33FEC08B0293E5CF@VF-MBX11.internal.vodafone.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org I tried both order: SSLCertificateFile conf/ssl/server.pem SSLCertificateChainFile conf/ssl/chain.pem where server.pem contains both the cert and the private key, and chain.pem contains either CA/root or root/CA Pl�m, R�diger, VF-Group wrote: > > >> -----Original Message----- >> From: Nick Gearls [mailto:nickgearls@gmail.com] >> Sent: Mittwoch, 12. August 2009 16:32 >> To: Development Apache >> Subject: Certificate chain order not conform to TLS standard >> >> Hello, >> >> I get problems with a picky SSL client complaining that >> Apache does not >> send the certificate chain in the right order (server/CA/root). >> Is that possible? Doesn't Apache (I am using 2.2.4) honor the RFC? > > This is not a matter of httpd but a matter in which order you > put the certificates of the chain in the chainfile. > Try changing their order in the chainfile. > > > Regards > > R�diger > >