httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Kalu┼ża <jkal...@redhat.com>
Subject Re: svn commit: r1550060 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_config.c
Date Mon, 06 Jan 2014 07:46:44 GMT
On 01/05/2014 11:10 AM, Kaspar Brand wrote:
> On 02.01.2014 07:49, Jan Kaluza wrote:
>> At first sorry for late response, I was away during Christmas time. The
>> idea was to stay consistent with what DUMP_CERTS does, so DUMP_CA_CERTS
>> prints only filename of the cert so it can be later passed to certwatch.
>>
>> I'm trying to load the certificate to find out if it's valid. I think
>> this has to be done, because you can use SSLCACertificatePath to set
>> path to directory containing CA certificates and to print really only
>> valid certificates from this directory, we have to actually try to load
>> them and ignore those which can't be loaded.
>
> Checking for file contents shouldn't happen at this place, I think. As
> the comments in the sources say, ssl_hook_ConfigTest is supposed to
> "Dump the filenames of all configured ... certificates to stdout".
> Suppressing a file name if the file doesn't include a PEM block with a
> certificate makes the output rather confusing, IMO.

I think I have no problem with changing the code to work as you 
describe. I've only thought the way it works now is better, because 
otherwise httpd could dump some files which it does not consider later. 
This could be confusing as well.

>> If we presume that directory specified by SSLCACertificatePath contains
>> only valid certificates and no other files, we could remove that
>> validity check and just print filenames of all files in that directory.
>
> The files in that directory are accessed via their OpenSSL subject name
> hashes, i.e. OpenSSL will look for file names like 5e5a5bcb.0 etc. It's
> therefore rather misleading if -DDUMP_CA_CERTS dumps all files in a
> directory, only based on whether their contents include at least one PEM
> block with BEGIN/END CERTIFICATE.

Hm, I think when I was testing that in December it definitely worked 
with different filenames too. I will give it a try again, but if it's 
like that, my current code is wrong and needs change definitely.

> Maybe it would help if you could come up with a short description of
> what problem you're trying to solve (apparently it's driven by RFEs for
> certwatch, from what I understand, but it's not clear to me what exactly
> you're trying to achieve).

The problem I'm trying to solve is that there are admins with websites 
which requires the users accessing the website to have client 
certificates signed by certain CAs. There was an incident where a CA 
re-issued their signing cert because the old one was expiring. The admin 
didn't know this, so when the old certificate expired, all users whose 
certificates were signed by that CA could no longer get in because they 
had not updated the cert for that CA.

If httpd had a "-DDUMP_CA_CERTS" option, they could use certwatch or 
similar tool to be warned before CA cert expires.

> Kaspar
>

Regards,
Jan Kaluza


Mime
View raw message