httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: SSLCertificateChainFile grammar issue
Date Tue, 30 Nov 2010 12:04:37 GMT
I've taken a crack at the odd wording and confusing content and done
some more testing:

http://people.apache.org/~covener/sslchain.diff



On Mon, Aug 25, 2008 at 8:29 AM, Eric Covener <covener@gmail.com> wrote:
> On Sun, Aug 24, 2008 at 6:35 PM, Eric Covener <covener@gmail.com> wrote:
>> On Wed, Aug 20, 2008 at 12:46 AM, Vincent Bray <noodlet@gmail.com> wrote:
>>> The second paragraph of this directive's explanation ends "That's
>>> usually not one expect."
>>>
>>> Should that be "That's not usually what one expects."? The next
>>> paragraph takes some parsing too.
>>>
>>> I've no idea what this directive does so thought I'd best ask for
>>> clarification :-)
>>
>> In my testing, the two directives did not overlap at all, namely this
>> phrase looks to be incorrect:
>>
>> "Because although placing a CA certificate of the server certificate
>> chain into SSLCACertificatePath has the same effect for the
>> certificate chain construction"
>>
>>
>> SSLCACertificatePath does not cause openssl to send intermediate
>> certificates during the Server Hello, but SSLCertificateChainFile
>> does.
>>
>> SSLCertificateChainFile is useful if the servers certificate is issued
>> by an intermediate certificate authority.  if a client trusts the root
>> CA, they just might not have a copy of the intermediate cert, but they
>> can validate the server-provided intermediate cert against their own
>> copy of the root cert, and proceed as if it was trusted.
>>
>> This is seemingly independent of client authentication, because the
>> SSLCertificateChailFile directives doesn't actually add to the list of
>> DN's communicated during the client certificiate request (like
>> SSLCACertificatePath does)
>
> This comment, and all the attention in the SSLCertificateChainFile,
> implies I'm mis-observing how this works:
>
> ssl_engine_init.c:
> +    /*
> +     * Optionally configure extra server certificate chain certificates.
> +     * This is usually done by OpenSSL automatically when one of the
> +     * server cert issuers are found under SSLCACertificatePath or in
> +     * SSLCACertificateFile. But because these are intended for client
> +     * authentication it can conflict. For instance when you use a
> +     * Global ID server certificate you've to send out the intermediate
> +     * CA certificate, too. When you would just configure this with
> +     * SSLCACertificateFile and also use client authentication mod_ssl
> +     * would accept all clients also issued by this CA. Obviously this
> +     * isn't what we want in this situation. So this feature here exists
> +     * to allow one to explicity configure CA certificates which are
> +     * used only for the server certificate chain.
> +     */
>
>
> Could just be a change in behavior in openssl, i.e. that certificate
> chains for the Server Hello are implicitly constructed/sent just by
> virtue of the intermediate certs existing in the servers trust store.
>
>
>
> --
> Eric Covener
> covener@gmail.com
>



-- 
Eric Covener
covener@gmail.com

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message