You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/11/14 20:26:27 UTC

DO NOT REPLY [Bug 14560] New: - SSLCertificateChainFile behaviour different or broken vs. apache v1.3.x

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14560>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=14560

SSLCertificateChainFile behaviour different or broken vs. apache v1.3.x

           Summary: SSLCertificateChainFile behaviour different or broken
                    vs. apache v1.3.x
           Product: Apache httpd-2.0
           Version: 2.0.43
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: mod_ssl
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: jkoyle@rfpdepot.com


I found that the SSLCertificateChainFile directive was not behaving the same as
it has in apache v1.3.

According to the verisign, when using a global certificate, you need to use the
above directive to provide the client with the Intermediate CA.  So, in my old
v1.3 configuration I had the following 3 directives:

SSLCertificateChainFile ssl.crt/ca.crt
SSLCertificateFile ssl.crt/server.crt
SSLCertificateKeyFile ssl.key/server.key

This doesn't work under apache2 however.  The certificate in the chainfile never
seems to be presented to the client.  Clients were getting presented with the
unrecognized signing authority error.

According to the comments in the ssl.conf sample config file, you can also point
it to the SSLCertificateFile if the intermediate CA is directly appended to the
bottom of the file. This did fix the problem.

Here's my specs:

RH v7.3
openssl-0.9.6b-28
./configure --prefix=/a01/app/dpxdemo/apache_2.0.43 --enable-mods-shared=all
--enable-ssl

Thanks,
John

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org