Re: svn commit: r1160863 - in /httpd/httpd/trunk: docs/manual/mod/modules/ssl/

[Daniel Ruggeri <DR...@primary.net>]

On 9/3/2011 1:06 AM, Kaspar Brand wrote:
> Nit: could you replace "intermediary" by "intermediate" in all log
> messages and comments? The former isn't really an X.509/PKIX term. (In
> the above message, I suggest saying "intermediate CA certificates".)
No problem.

> I think it's preferrable to let OpenSSL build the chain (instead of
> doing it ourselves). There's no readily available function for this,
> unfortunately, but could you try something along the lines in OpenSSL's
> s3_both.c:ssl3_output_cert_chain()? See
>
>   http://cvs.openssl.org/chngview?cn=18326
>
> I.e., use X509_verify_cert(), ignore its result, but grab the chain from
> the X509_STORE_CTX afterwards. (And when you're done, it's probably
> wise to call ERR_clear_error, see http://cvs.openssl.org/chngview?cn=19472).
I searched for a function to do exactly this and came up empty. Thank
you very much for bringing this to my attention! I'll definitely update
the patch with this because the method I'm using is certainly a
sticks-and-stones approach.

-- 
--
Daniel Ruggeri