httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Emilia Kasper <>
Subject mod_ssl patch: use new OpenSSL features to autofix cert chains
Date Wed, 26 Mar 2014 11:11:19 GMT
Hi mod_ssl devs,

I have a small patch for mod_ssl that uses new OpenSSL (>=1.0.2) methods
when available to automatically rebuild misconfigured certificate chains.

Github pull request:

Some of the common server chain misconfigurations are a) including the
self-signed root certificate in the chain and b) missing an intermediate
certificate in the chain. a) is bad because it bloats the handshake and b)
is bad because the client can't always validate the chain.

The patch fixes a) by sanity-checking the chain and chopping self-signed
roots. I believe it's harmless to turn on by default as the rebuild step
will either yield a valid chain or preserve the original configuration.

I've no good idea how to reliably detect and fix missing intermediates but
would be happy to try out any good suggestions.


View raw message