httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <DRugg...@primary.net>
Subject Re: svn commit: r1160863 - in /httpd/httpd/trunk: docs/manual/mod/ modules/ssl/
Date Wed, 14 Sep 2011 20:32:08 GMT
On 9/6/2011 12:21 AM, Kaspar Brand wrote:
> On 05.09.2011 21:59, Daniel Ruggeri wrote:
>> could be reused to build a chain for the server-side of mod_ssl (because
>> today, the chain certs get presented in whatever order they are in the
>> file resulting in unhappy java clients). With a little bit of
>> refactoring on the server side, this could be taken care of just as well.
> I agree, this is definitely desirable, and we should certainly do it for
> trunk. As suggested by Steve, we shouldn't simply ignore all
> X509_verify_cert errors in this case, too. Something like
> modssl_check_cert(), which returns a proper chain on success, would be
> my idea.
>
>> I've made a few adjustments and built/tested the snippet below. Works
>> well, though in my test cases I can't tell if the chain is being sent or
>> not (suggestions on how to verify?).
> If you have a proxied server which runs httpd/mod_ssl, then you can use
> the SSLOptions +ExportCertData, and look for the SSL_CLIENT_CERT_CHAIN_n
> environment vars.
>

My usage tests pass muster with the approach we have discussed, so I
have updated trunk and the 2.2 backport proposal. At this point, I am
satisfied with this particular patch, though I won't lose sight of the
server-side issue. Since the patch should now be complete, I have given
my vote in the 2.2 STATUS file and would appreciate any further
review/votes.

-- 
Daniel Ruggeri


Mime
View raw message