httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Eric Covener" <>
Subject Re: SSLCertificateChainFile grammar issue
Date Mon, 25 Aug 2008 12:29:24 GMT
On Sun, Aug 24, 2008 at 6:35 PM, Eric Covener <> wrote:
> On Wed, Aug 20, 2008 at 12:46 AM, Vincent Bray <> wrote:
>> The second paragraph of this directive's explanation ends "That's
>> usually not one expect."
>> Should that be "That's not usually what one expects."? The next
>> paragraph takes some parsing too.
>> I've no idea what this directive does so thought I'd best ask for
>> clarification :-)
> In my testing, the two directives did not overlap at all, namely this
> phrase looks to be incorrect:
> "Because although placing a CA certificate of the server certificate
> chain into SSLCACertificatePath has the same effect for the
> certificate chain construction"
> SSLCACertificatePath does not cause openssl to send intermediate
> certificates during the Server Hello, but SSLCertificateChainFile
> does.
> SSLCertificateChainFile is useful if the servers certificate is issued
> by an intermediate certificate authority.  if a client trusts the root
> CA, they just might not have a copy of the intermediate cert, but they
> can validate the server-provided intermediate cert against their own
> copy of the root cert, and proceed as if it was trusted.
> This is seemingly independent of client authentication, because the
> SSLCertificateChailFile directives doesn't actually add to the list of
> DN's communicated during the client certificiate request (like
> SSLCACertificatePath does)

This comment, and all the attention in the SSLCertificateChainFile,
implies I'm mis-observing how this works:

+    /*
+     * Optionally configure extra server certificate chain certificates.
+     * This is usually done by OpenSSL automatically when one of the
+     * server cert issuers are found under SSLCACertificatePath or in
+     * SSLCACertificateFile. But because these are intended for client
+     * authentication it can conflict. For instance when you use a
+     * Global ID server certificate you've to send out the intermediate
+     * CA certificate, too. When you would just configure this with
+     * SSLCACertificateFile and also use client authentication mod_ssl
+     * would accept all clients also issued by this CA. Obviously this
+     * isn't what we want in this situation. So this feature here exists
+     * to allow one to explicity configure CA certificates which are
+     * used only for the server certificate chain.
+     */

Could just be a change in behavior in openssl, i.e. that certificate
chains for the Server Hello are implicitly constructed/sent just by
virtue of the intermediate certs existing in the servers trust store.

Eric Covener

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message