Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id AB6B38624 for ; Sat, 3 Sep 2011 14:03:18 +0000 (UTC) Received: (qmail 71224 invoked by uid 500); 3 Sep 2011 14:03:17 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 71082 invoked by uid 500); 3 Sep 2011 14:03:15 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 71074 invoked by uid 99); 3 Sep 2011 14:03:15 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Sep 2011 14:03:15 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of DRuggeri@primary.net designates 216.87.38.199 as permitted sender) Received: from [216.87.38.199] (HELO mail4.primary.net) (216.87.38.199) by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 Sep 2011 14:03:09 +0000 Received: from home.simonrage.com ([216.114.77.126]:33233 helo=[192.168.0.2]) by mail4.primary.net with esmtpa (Exim 4.63) (envelope-from ) id 1Qzqo1-0006Za-Co for dev@httpd.apache.org; Sat, 03 Sep 2011 09:02:48 -0500 Message-ID: <4E623321.5080105@primary.net> Date: Sat, 03 Sep 2011 09:01:05 -0500 From: Daniel Ruggeri User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:6.0.1) Gecko/20110830 Thunderbird/6.0.1 MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: svn commit: r1160863 - in /httpd/httpd/trunk: docs/manual/mod/modules/ssl/ References: <20110823193508.9E41A2388A02@eris.apache.org> <4E61C3CE.4020500@velox.ch> In-Reply-To: <4E61C3CE.4020500@velox.ch> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-ACL-Warn: X-The email account used to send this email was: DRuggeri@primary.net X-Spam-Score: -2.9 (--) X-Spam-Report: Spam detection software, running on the system "mail4.primary.net", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: On 9/3/2011 1:06 AM, Kaspar Brand wrote: > Nit: could you replace "intermediary" by "intermediate" in all log > messages and comments? The former isn't really an X.509/PKIX term. (In > the above message, I suggest saying "intermediate CA certificates".) No problem. [...] Content analysis details: (-2.9 points, 10.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -1.0 ALL_TRUSTED Passed through trusted hosts only via SMTP -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] On 9/3/2011 1:06 AM, Kaspar Brand wrote: > Nit: could you replace "intermediary" by "intermediate" in all log > messages and comments? The former isn't really an X.509/PKIX term. (In > the above message, I suggest saying "intermediate CA certificates".) No problem. > I think it's preferrable to let OpenSSL build the chain (instead of > doing it ourselves). There's no readily available function for this, > unfortunately, but could you try something along the lines in OpenSSL's > s3_both.c:ssl3_output_cert_chain()? See > > http://cvs.openssl.org/chngview?cn=18326 > > I.e., use X509_verify_cert(), ignore its result, but grab the chain from > the X509_STORE_CTX afterwards. (And when you're done, it's probably > wise to call ERR_clear_error, see http://cvs.openssl.org/chngview?cn=19472). I searched for a function to do exactly this and came up empty. Thank you very much for bringing this to my attention! I'll definitely update the patch with this because the method I'm using is certainly a sticks-and-stones approach. -- -- Daniel Ruggeri