httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <cove...@gmail.com>
Subject Re: SSLCertificateChainFile grammar issue
Date Sun, 24 Aug 2008 22:35:07 GMT
On Wed, Aug 20, 2008 at 12:46 AM, Vincent Bray <noodlet@gmail.com> wrote:
> The second paragraph of this directive's explanation ends "That's
> usually not one expect."
>
> Should that be "That's not usually what one expects."? The next
> paragraph takes some parsing too.
>
> I've no idea what this directive does so thought I'd best ask for
> clarification :-)

In my testing, the two directives did not overlap at all, namely this
phrase looks to be incorrect:

"Because although placing a CA certificate of the server certificate
chain into SSLCACertificatePath has the same effect for the
certificate chain construction"


SSLCACertificatePath does not cause openssl to send intermediate
certificates during the Server Hello, but SSLCertificateChainFile
does.

SSLCertificateChainFile is useful if the servers certificate is issued
by an intermediate certificate authority.  if a client trusts the root
CA, they just might not have a copy of the intermediate cert, but they
can validate the server-provided intermediate cert against their own
copy of the root cert, and proceed as if it was trusted.

This is seemingly independent of client authentication, because the
SSLCertificateChailFile directives doesn't actually add to the list of
DN's communicated during the client certificiate request (like
SSLCACertificatePath does)


-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message