You are viewing a plain text version of this content. The canonical link for it is here.
Posted to docs@httpd.apache.org by Eric Covener <co...@gmail.com> on 2010/11/30 13:04:37 UTC
Re: SSLCertificateChainFile grammar issue
I've taken a crack at the odd wording and confusing content and done
some more testing:
http://people.apache.org/~covener/sslchain.diff
On Mon, Aug 25, 2008 at 8:29 AM, Eric Covener <co...@gmail.com> wrote:
> On Sun, Aug 24, 2008 at 6:35 PM, Eric Covener <co...@gmail.com> wrote:
>> On Wed, Aug 20, 2008 at 12:46 AM, Vincent Bray <no...@gmail.com> wrote:
>>> The second paragraph of this directive's explanation ends "That's
>>> usually not one expect."
>>>
>>> Should that be "That's not usually what one expects."? The next
>>> paragraph takes some parsing too.
>>>
>>> I've no idea what this directive does so thought I'd best ask for
>>> clarification :-)
>>
>> In my testing, the two directives did not overlap at all, namely this
>> phrase looks to be incorrect:
>>
>> "Because although placing a CA certificate of the server certificate
>> chain into SSLCACertificatePath has the same effect for the
>> certificate chain construction"
>>
>>
>> SSLCACertificatePath does not cause openssl to send intermediate
>> certificates during the Server Hello, but SSLCertificateChainFile
>> does.
>>
>> SSLCertificateChainFile is useful if the servers certificate is issued
>> by an intermediate certificate authority. if a client trusts the root
>> CA, they just might not have a copy of the intermediate cert, but they
>> can validate the server-provided intermediate cert against their own
>> copy of the root cert, and proceed as if it was trusted.
>>
>> This is seemingly independent of client authentication, because the
>> SSLCertificateChailFile directives doesn't actually add to the list of
>> DN's communicated during the client certificiate request (like
>> SSLCACertificatePath does)
>
> This comment, and all the attention in the SSLCertificateChainFile,
> implies I'm mis-observing how this works:
>
> ssl_engine_init.c:
> + /*
> + * Optionally configure extra server certificate chain certificates.
> + * This is usually done by OpenSSL automatically when one of the
> + * server cert issuers are found under SSLCACertificatePath or in
> + * SSLCACertificateFile. But because these are intended for client
> + * authentication it can conflict. For instance when you use a
> + * Global ID server certificate you've to send out the intermediate
> + * CA certificate, too. When you would just configure this with
> + * SSLCACertificateFile and also use client authentication mod_ssl
> + * would accept all clients also issued by this CA. Obviously this
> + * isn't what we want in this situation. So this feature here exists
> + * to allow one to explicity configure CA certificates which are
> + * used only for the server certificate chain.
> + */
>
>
> Could just be a change in behavior in openssl, i.e. that certificate
> chains for the Server Hello are implicitly constructed/sent just by
> virtue of the intermediate certs existing in the servers trust store.
>
>
>
> --
> Eric Covener
> covener@gmail.com
>
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org