You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@trafficserver.apache.org by "Steven Feltner (JIRA)" <ji...@apache.org> on 2014/08/20 18:34:26 UTC
[jira] [Created] (TS-3027) Hashed SSL Intermediate Server Certs not
recognized
Steven Feltner created TS-3027:
----------------------------------
Summary: Hashed SSL Intermediate Server Certs not recognized
Key: TS-3027
URL: https://issues.apache.org/jira/browse/TS-3027
Project: Traffic Server
Issue Type: Bug
Components: SSL
Reporter: Steven Feltner
Tested on:
CentOS 6.5 x86_64
trafficserver-5.0.1
Pertinent Config Values:
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
#CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt
CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local
(with and without CA.cert.filename configured)
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.client.verify.server INT 0
c_rehash (from OpenSSL) called from command line to create hash symlinks
Currently, SSL_CTX_load_verify_locations is only called in two cases:
if (params->clientCertLevel != 0) {
and
if (params->clientVerify) {
Attached patch will create a precedence such that:
if ssl_ca_name= is configured in ssl_multicert.config
use that to build the cert chain
else if proxy.config.ssl.CA.cert.filename is configured (along with proxy.config.ssl.CA.cert.path)
use that file to build the chain
else if proxy.config.ssl.CA.cert.path is configured (and proxy.config.ssl.CA.cert.filename is NULL)
use the hashed symlinks in that directory to build the chain
else
error out because we don't have the right configuration to build the chain
--
This message was sent by Atlassian JIRA
(v6.2#6252)