httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: DER encoded cert no longer supported in 2.4 since 2.4.8
Date Fri, 04 Dec 2015 17:01:41 GMT
On Thu, Dec 3, 2015 at 11:49 AM, Rainer Jung <rainer.jung@kippdata.de>
wrote:

> I did a 2.2 to 2.4 migration today. The old 2.2 server was using a
> certificate file, which was DER encoded and the new 2.4 one didn't like it.
>
> It seems support for DER encoded certs was removed in 2.4.8 as a side
> effect of r1573360 (bckport of r1553824). The certificate in 2.2 is read
> using SSL_read_X509() which tries PEM but also DER. After the change, the
> OpenSSL API SSL_read_X509() is used, which only accepts PEM.
>
> Is that problem analysis right? If so we'd need to decide, whether we keep
> it as is (no one complained, so DER seems to be rare) and simply document
> the change in the changelog and migration guide, or whether we still need
> to support DER encoded certs.
>

I think you meant PEM_read_bio_* and  PEM_X509_INFO_read_bio
in the 2.4.8+ implementation.

What I don't grok is why there are no corresponding DER_ functions
exposed by openssl?  If there were, fail-over seems simple enough.


> IMHO documenting the change would be enough.
>

That's a good start for anyone tripping over 2.4.8-2.4.x, whether
it is fixed or not.

Mime
View raw message