httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kaluza <jkal...@redhat.com>
Subject Re: svn commit: r1550060 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_config.c
Date Thu, 02 Jan 2014 06:49:41 GMT
On 12/13/2013 09:54 AM, Ruediger Pluem wrote:
>
>
> jkaluza@apache.org wrote:
>> Author: jkaluza
>> Date: Wed Dec 11 07:16:28 2013
>> New Revision: 1550060
>>
>> URL: http://svn.apache.org/r1550060
>> Log:
>> mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all
>> configured SSL CA certificates to stdout the same way as DUMP_CERTS does.
>>
>> Modified:
>>      httpd/httpd/trunk/CHANGES
>>      httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>>
>
>> Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
>> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1550060&r1=1550059&r2=1550060&view=diff
>> ==============================================================================
>> --- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
>> +++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Dec 11 07:16:28 2013
>> @@ -1870,30 +1870,95 @@ const char *ssl_cmd_SSLSRPUnknownUserSee
>>
>>   #endif /* HAVE_SRP */
>>
>> -void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
>> +static void dump_ca_cert_file(apr_file_t *out, const char *file) {
>> +    X509 *rc;
>> +    BIO *bioS;
>> +
>> +    if ((bioS=BIO_new_file(file, "r")) == NULL) {
>> +        return;
>> +    }
>> +
>> +    /* ca_cert_file is loaded using SSL_load_client_CA_file(). This method
>> +     * loads only file of PEM formatted certificates, so we have to load
>> +     * only PEM here too, to stay consistent.
>> +     */
>> +    rc = PEM_read_bio_X509 (bioS, NULL, NULL, NULL);
>> +    BIO_free(bioS);
>> +    if (rc) {
>> +        apr_file_printf(out, "  %s\n", file);
>
> Hm, do I miss the point or why don't we print out anything from the cert we just loaded
and just the filename?
> Do we just want to know if the cert file loads?

At first sorry for late response, I was away during Christmas time. The 
idea was to stay consistent with what DUMP_CERTS does, so DUMP_CA_CERTS 
prints only filename of the cert so it can be later passed to certwatch.

I'm trying to load the certificate to find out if it's valid. I think 
this has to be done, because you can use SSLCACertificatePath to set 
path to directory containing CA certificates and to print really only 
valid certificates from this directory, we have to actually try to load 
them and ignore those which can't be loaded.

This is not done for DUMP_CERTS, because there is no directory 
equivalent of SSLCertificateFile (which is logical).

If we presume that directory specified by SSLCACertificatePath contains 
only valid certificates and no other files, we could remove that 
validity check and just print filenames of all files in that directory.

> Regards
>
> RĂ¼diger
>

Regards,
Jan Kaluza


Mime
View raw message