httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <traw...@gmail.com>
Subject Re: SSLCertificateChainFile deprecation, still
Date Mon, 15 Jun 2015 17:04:30 GMT
On Mon, Jun 15, 2015 at 11:10 AM, Jeff Trawick <trawick@gmail.com> wrote:

> On Mon, Jun 15, 2015 at 10:54 AM, William A Rowe Jr <wrowe@rowe-clan.net>
> wrote:
>
>> On Mon, Jun 15, 2015 at 8:12 AM, Eric Covener <covener@gmail.com> wrote:
>>
>>> Anyone else inclined to just remove the message? It's a deprecation that
>>> didn't happen on a release boundary. AFAICT there's no reason to change how
>>> you run your server unless you use two different cert chains and then you'd
>>> find the info in the manual.
>>>
>>
>> +1, this is highly irregular.  Our general statement is that config
>> changes are not strictly necessary on subversion updates of httpd.
>>  (Securing your SSLCipherList notwithstanding.)
>>
>> Bill
>>
>
> +1, but IMO the whole idea should be revisited.
>
> Storing intermediate certificates separately is a problem when you have
> multiple certificates with different algorithms.  (Which server cert(s)
> do/does the intermediate cert file go with?)
>
> For cases where there's no ambiguity, we have a trade-off between
>
> 1) being able to get rid of the directive since the intermediate certs
> don't necessarily need to be stored separately
> 2) a future migration headache, if not nightmare, for sites with many
> vhosts where different users manage the certs
>
> We need to favor #2.
>
> For cases where there is an ambiguity, we should deprecate being able to
> configure that, and visibly warn that there's a likely problem ASAP.
>

well, "a likely problem" can't be right, unless they just configured it and
it doesn't work correctly yet :)

-- 
Born in Roswell... married an alien...
http://emptyhammock.com/

Mime
View raw message