httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: mod_ssl-2.4.x-certkeyfile and OCSPStapling
Date Wed, 05 Feb 2014 12:31:18 GMT
On 05/02/2014 07:17, Kaspar Brand wrote:
> There are two ways to address the issue: either in mod_ssl, or in
> OpenSSL. I'm not sure which one is preferrable, but Mr. OpenSSL will
> hopefully tell us... (Steve: in theory, modifying the behavior of
> SSL_CTX_get_extra_chain_certs should be acceptable, given that only
> SSL_CTX_get0_chain_certs is documented, what do you think?)

In OpenSSL a function being undocumented is no guarantee something wont call it ;-)

It's not totally clear cut.

With that change an application can no longer obtain the extra_chain_certs only
and get NULL if there aren't any. However an application which is explicitly
using per-certificate chains shouldn't be using the extra_chain_certs anyway.

OTOH an existing application could uses SSL_CTX_use_certificate_chain_file and
then try to retrieve extra chain certificates using
SSL_CTX_get_extra_chain_certs. With the 1.0.2 changes to
SSL_CTX_use_certificate_chain_file that would fail in 1.0.2 without that change.

On balance I think that change should go in OpenSSL. I'll hear soon enough if it
breaks anything...

Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775

View raw message