httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: svn commit: r1550060 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_config.c
Date Sun, 05 Jan 2014 10:10:37 GMT
On 02.01.2014 07:49, Jan Kaluza wrote:
> At first sorry for late response, I was away during Christmas time. The 
> idea was to stay consistent with what DUMP_CERTS does, so DUMP_CA_CERTS 
> prints only filename of the cert so it can be later passed to certwatch.
> 
> I'm trying to load the certificate to find out if it's valid. I think 
> this has to be done, because you can use SSLCACertificatePath to set 
> path to directory containing CA certificates and to print really only 
> valid certificates from this directory, we have to actually try to load 
> them and ignore those which can't be loaded.

Checking for file contents shouldn't happen at this place, I think. As
the comments in the sources say, ssl_hook_ConfigTest is supposed to
"Dump the filenames of all configured ... certificates to stdout".
Suppressing a file name if the file doesn't include a PEM block with a
certificate makes the output rather confusing, IMO.

> If we presume that directory specified by SSLCACertificatePath contains 
> only valid certificates and no other files, we could remove that 
> validity check and just print filenames of all files in that directory.

The files in that directory are accessed via their OpenSSL subject name
hashes, i.e. OpenSSL will look for file names like 5e5a5bcb.0 etc. It's
therefore rather misleading if -DDUMP_CA_CERTS dumps all files in a
directory, only based on whether their contents include at least one PEM
block with BEGIN/END CERTIFICATE.

Maybe it would help if you could come up with a short description of
what problem you're trying to solve (apparently it's driven by RFEs for
certwatch, from what I understand, but it's not clear to me what exactly
you're trying to achieve).

Kaspar

Mime
View raw message