httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@opensslfoundation.com>
Subject Re: mod_ssl patch: use new OpenSSL features to autofix cert chains
Date Thu, 27 Mar 2014 14:28:45 GMT
On 27/03/2014 13:01, Emilia Kasper wrote:
> 
> 
> 
> On Wed, Mar 26, 2014 at 4:56 PM, Dr Stephen Henson
> <shenson@opensslfoundation.com <mailto:shenson@opensslfoundation.com>> wrote:
> 
>     On 26/03/2014 13:38, Emilia Kasper wrote:
>     >
>     > On Wed, Mar 26, 2014 at 1:11 PM, Dr Stephen Henson
>     > <shenson@opensslfoundation.com <mailto:shenson@opensslfoundation.com>
>     <mailto:shenson@opensslfoundation.com
>     <mailto:shenson@opensslfoundation.com>>> wrote:
>     >
>     >
> 
>     Well if you set SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR then it will reorder the chain
>     as best it can and just not fail if the chain is incomplete or broken in any
>     other way. That's how the on the fly path building works at present.
> 
>     Personally I'd prefer it to return errors. That will catch other common problems
>     like expiry of any certificate in the chain.
> 
> 
> Except it'll never get to checking expiry if there's no root cert.
> 
> I think I'd prefer to ignore but log build errors - but that I can't do because
> the SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR flag clears the error stack.
> 

I've updated it to not clear errors from the stack by default and to return 2 if
there is a verification failure. That can be used to log a warning.

Steve.
-- 
Dr Stephen Henson. OpenSSL Software Foundation, Inc.
1829 Mount Ephraim Road
Adamstown, MD 21710
+1 877-673-6775
shenson@opensslfoundation.com

Mime
View raw message