httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: Deprecating (and eventually removing) encrypted private key support in mod_ssl?
Date Sat, 28 Dec 2013 13:34:51 GMT
On 18.11.2013 18:42, Kaspar Brand wrote:
> On 18.11.2013 15:38, Dr Stephen Henson wrote:
>> For OpenSSL 1.0.2 this limitation is removed and you can have different chains
>> for each certificate type (and for SSL structures too) and it just uses the
>> right one. This uses the function SSL_CTX_add1_chain_cert which adds a
>> certificate to the chain for the current certificate.
>>
>> I *could* change SSL_CTX_use_certificate_chain_file to use
>> SSL_CTX_add1_chain_cert instead of SSL_CTX_add_extra_chain_cert or perhaps have
>> a different function. I'm always cautious about changing the behaviour of
>> existing functions though as the most innocent change will usually break
>> *something*, though I can't see how it can in this case.
> 
> I would be in favor this change for 1.0.2 - to me that would be more
> like a "fix" of SSL_CTX_use_certificate_chain_file than a change in
> behavior, actually.

FYI: in r1553824 (which I just committed to trunk), I'm now manually
shuffling things around to support per-cert chains - but would happily
drop the "#if defined(SSL_CTX_set1_chain)"-enclosed code if you decide
to adapt SSL_CTX_use_certificate_chain_file in 1.0.2.

Kaspar

Mime
View raw message