Return-Path: Delivered-To: apmail-httpd-docs-archive@www.apache.org Received: (qmail 39872 invoked from network); 30 Nov 2010 12:05:07 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 30 Nov 2010 12:05:07 -0000 Received: (qmail 61989 invoked by uid 500); 30 Nov 2010 12:05:07 -0000 Delivered-To: apmail-httpd-docs-archive@httpd.apache.org Received: (qmail 61810 invoked by uid 500); 30 Nov 2010 12:05:07 -0000 Mailing-List: contact docs-help@httpd.apache.org; run by ezmlm Precedence: bulk list-help: list-unsubscribe: List-Post: Reply-To: docs@httpd.apache.org List-Id: Delivered-To: mailing list docs@httpd.apache.org Received: (qmail 61802 invoked by uid 99); 30 Nov 2010 12:05:06 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Nov 2010 12:05:06 +0000 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of covener@gmail.com designates 74.125.82.43 as permitted sender) Received: from [74.125.82.43] (HELO mail-ww0-f43.google.com) (74.125.82.43) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 30 Nov 2010 12:04:58 +0000 Received: by wwi17 with SMTP id 17so173333wwi.12 for ; Tue, 30 Nov 2010 04:04:38 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=fN/TKGQwbFa7WjidhWOE+u9jdOgc4X7OwJSKNOEYsvg=; b=NBeXQH+/moDjANBIzvqS7xA4IJ4spD1vNZTK3nkh/chye2oFLEU+oEY6lgj62rK39s /SqljMWNj6WedlhppO/W/ob+I+Q/1ox0KJtkXUFCjHJhg5VDIqzs/6hhrXs6ecUxChpH dirqt+H09Wp9enpjNrhMdlmecxKUe5ul8NhFA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=CpBSmwOMBqd/iP6a/mmAMfJZQHBwTGrKhDVcPvuoGESt5jPNSFJ31cOXoy2Mr7gkB3 dnksOsTfvHp3l4rMDcMgLsxyuIdXeRZS1TYwEBLZmvg7+cKs3FjJyKR7BgD2L6UWmG+a xBW/ieTTvxh8fXqYfUvPXdCG8o1HT/omgsQlU= MIME-Version: 1.0 Received: by 10.227.129.80 with SMTP id n16mr7567502wbs.43.1291118678297; Tue, 30 Nov 2010 04:04:38 -0800 (PST) Received: by 10.216.1.71 with HTTP; Tue, 30 Nov 2010 04:04:37 -0800 (PST) In-Reply-To: <1404e5910808250529t5b335a7cxb757fd3f967d2afb@mail.gmail.com> References: <813716b60808192146g2b9ae4fdwe06872cbb2601e6c@mail.gmail.com> <1404e5910808241535y5cb3b9c3n6a76c445e207aaee@mail.gmail.com> <1404e5910808250529t5b335a7cxb757fd3f967d2afb@mail.gmail.com> Date: Tue, 30 Nov 2010 07:04:37 -0500 Message-ID: Subject: Re: SSLCertificateChainFile grammar issue From: Eric Covener To: docs@httpd.apache.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Virus-Checked: Checked by ClamAV on apache.org I've taken a crack at the odd wording and confusing content and done some more testing: http://people.apache.org/~covener/sslchain.diff On Mon, Aug 25, 2008 at 8:29 AM, Eric Covener wrote: > On Sun, Aug 24, 2008 at 6:35 PM, Eric Covener wrote: >> On Wed, Aug 20, 2008 at 12:46 AM, Vincent Bray wrote= : >>> The second paragraph of this directive's explanation ends "That's >>> usually not one expect." >>> >>> Should that be "That's not usually what one expects."? The next >>> paragraph takes some parsing too. >>> >>> I've no idea what this directive does so thought I'd best ask for >>> clarification :-) >> >> In my testing, the two directives did not overlap at all, namely this >> phrase looks to be incorrect: >> >> "Because although placing a CA certificate of the server certificate >> chain into SSLCACertificatePath has the same effect for the >> certificate chain construction" >> >> >> SSLCACertificatePath does not cause openssl to send intermediate >> certificates during the Server Hello, but SSLCertificateChainFile >> does. >> >> SSLCertificateChainFile is useful if the servers certificate is issued >> by an intermediate certificate authority. =A0if a client trusts the root >> CA, they just might not have a copy of the intermediate cert, but they >> can validate the server-provided intermediate cert against their own >> copy of the root cert, and proceed as if it was trusted. >> >> This is seemingly independent of client authentication, because the >> SSLCertificateChailFile directives doesn't actually add to the list of >> DN's communicated during the client certificiate request (like >> SSLCACertificatePath does) > > This comment, and all the attention in the SSLCertificateChainFile, > implies I'm mis-observing how this works: > > ssl_engine_init.c: > + =A0 =A0/* > + =A0 =A0 * Optionally configure extra server certificate chain certifica= tes. > + =A0 =A0 * This is usually done by OpenSSL automatically when one of the > + =A0 =A0 * server cert issuers are found under SSLCACertificatePath or i= n > + =A0 =A0 * SSLCACertificateFile. But because these are intended for clie= nt > + =A0 =A0 * authentication it can conflict. For instance when you use a > + =A0 =A0 * Global ID server certificate you've to send out the intermedi= ate > + =A0 =A0 * CA certificate, too. When you would just configure this with > + =A0 =A0 * SSLCACertificateFile and also use client authentication mod_s= sl > + =A0 =A0 * would accept all clients also issued by this CA. Obviously th= is > + =A0 =A0 * isn't what we want in this situation. So this feature here ex= ists > + =A0 =A0 * to allow one to explicity configure CA certificates which are > + =A0 =A0 * used only for the server certificate chain. > + =A0 =A0 */ > > > Could just be a change in behavior in openssl, i.e. that certificate > chains for the Server Hello are implicitly constructed/sent just by > virtue of the intermediate certs existing in the servers trust store. > > > > -- > Eric Covener > covener@gmail.com > --=20 Eric Covener covener@gmail.com --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org For additional commands, e-mail: docs-help@httpd.apache.org