You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2009/06/24 17:29:37 UTC

DO NOT REPLY [Bug 47329] SSLCADNRequest* & SSLCACertificate* silently do not work with 'Trusted' certificates

https://issues.apache.org/bugzilla/show_bug.cgi?id=47329


tlhackque@yahoo.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|SSLCADNRequest* &           |SSLCADNRequest* &
                   |SSLCACertificate*           |SSLCACertificate* silently
                   |defficiency                 |do not work with 'Trusted'
                   |                            |certificates




--- Comment #2 from tlhackque@yahoo.com  2009-06-24 08:29:35 PST ---
The more I think about this, the more convinced I become that an error message
(or a fix) is required.

The user is supplying a valid certificate that httpd is not able to process. 
Httpd doesn't behave as expected.  

I lived without the correct information being sent to by clients' browsers for
several years (yes, years) until I was finally able to get traces showing that
the valid CA messages weren't being sent.  It was particularly confusing as an
administrator, as when using SSLCACertificate*, the certificate was used
correctly by httpd for one purpose, but not for another.  And of course, it
only really impacts clients with more than one certificate to send...

While the documentation should be improved, I don't think that's sufficient.

Arguably this can be pushed upstream to OpenSSL, as HTTPD seems to just pass
the filename along.  Or HTTPD can validate the certificate itself.  But
someone, somewhere in the chain needs to detect this error, and httpd needs to
ultimately report it.  Silently ignoring a valid certificate isn't acceptable.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org