You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Nick Gearls <ni...@gmail.com> on 2009/08/12 16:31:31 UTC
Certificate chain order not conform to TLS standard
Hello,
I get problems with a picky SSL client complaining that Apache does not
send the certificate chain in the right order (server/CA/root).
Is that possible? Doesn't Apache (I am using 2.2.4) honor the RFC?
Thanks,
Nick
Re: Certificate chain order not conform to TLS standard
Posted by Peter Sylvester <pe...@edelweb.fr>.
>
>> Right, but as far as I remember there are some picky SSL clients that
>> puke if it is present. I am not saying that the behaviour of these clients
>> is correct. Thus I said don't put it in :-)
>>
>>
ok. something that could be said in a FAQ?
RE: Certificate chain order not conform to TLS standard
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Original Message-----
> From: Peter Sylvester [mailto:peter.sylvester@edelweb.fr]
> Sent: Donnerstag, 13. August 2009 10:51
> To: dev@httpd.apache.org
> Subject: Re: Certificate chain order not conform to TLS standard
>
> Plüm, Rüdiger, VF-Group wrote:
> >
> >
> >
> >> -----Original Message-----
> >> From: Nick Gearls [mailto:nickgearls@gmail.com]
> >> Sent: Donnerstag, 13. August 2009 08:51
> >> To: dev@httpd.apache.org
> >> Subject: Re: Certificate chain order not conform to TLS standard
> >>
> >> I tried both order:
> >>
> >> SSLCertificateFile conf/ssl/server.pem
> >> SSLCertificateChainFile conf/ssl/chain.pem
> >>
> >> where server.pem contains both the cert and the private key,
> >> and chain.pem contains either CA/root or root/CA
> >>
> >
> > Don't put the root cert in the chain file, only the
> intermediate certs.
> >
> >
> > Regards
> >
> > Rüdiger
> >
> leaving the a self signed root should not be a problem:
>
> This is a sequence (chain) of X.509v3 certificates. The sender's
> certificate must come first in the list. Each following
> certificate must directly certify the one preceding it. Because
> certificate validation requires that root keys be distributed
> independently, the self-signed certificate that
> specifies the root
> certificate authority may optionally be omitted from the chain,
>
Right, but as far as I remember there are some picky SSL clients that
puke if it is present. I am not saying that the behaviour of these clients
is correct. Thus I said don't put it in :-)
Regards
Rüdiger
Re: Certificate chain order not conform to TLS standard
Posted by Peter Sylvester <pe...@edelweb.fr>.
Plüm, Rüdiger, VF-Group wrote:
>
>
>
>> -----Original Message-----
>> From: Nick Gearls [mailto:nickgearls@gmail.com]
>> Sent: Donnerstag, 13. August 2009 08:51
>> To: dev@httpd.apache.org
>> Subject: Re: Certificate chain order not conform to TLS standard
>>
>> I tried both order:
>>
>> SSLCertificateFile conf/ssl/server.pem
>> SSLCertificateChainFile conf/ssl/chain.pem
>>
>> where server.pem contains both the cert and the private key,
>> and chain.pem contains either CA/root or root/CA
>>
>
> Don't put the root cert in the chain file, only the intermediate certs.
>
>
> Regards
>
> Rüdiger
>
leaving the a self signed root should not be a problem:
This is a sequence (chain) of X.509v3 certificates. The sender's
certificate must come first in the list. Each following
certificate must directly certify the one preceding it. Because
certificate validation requires that root keys be distributed
independently, the self-signed certificate that specifies the root
certificate authority may optionally be omitted from the chain,
/P
RE: Certificate chain order not conform to TLS standard
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Original Message-----
> From: Nick Gearls [mailto:nickgearls@gmail.com]
> Sent: Donnerstag, 13. August 2009 08:51
> To: dev@httpd.apache.org
> Subject: Re: Certificate chain order not conform to TLS standard
>
> I tried both order:
>
> SSLCertificateFile conf/ssl/server.pem
> SSLCertificateChainFile conf/ssl/chain.pem
>
> where server.pem contains both the cert and the private key,
> and chain.pem contains either CA/root or root/CA
Don't put the root cert in the chain file, only the intermediate certs.
Regards
Rüdiger
Re: Certificate chain order not conform to TLS standard
Posted by Nick Gearls <ni...@gmail.com>.
I tried both order:
SSLCertificateFile conf/ssl/server.pem
SSLCertificateChainFile conf/ssl/chain.pem
where server.pem contains both the cert and the private key,
and chain.pem contains either CA/root or root/CA
Plüm, Rüdiger, VF-Group wrote:
>
>
>> -----Original Message-----
>> From: Nick Gearls [mailto:nickgearls@gmail.com]
>> Sent: Mittwoch, 12. August 2009 16:32
>> To: Development Apache
>> Subject: Certificate chain order not conform to TLS standard
>>
>> Hello,
>>
>> I get problems with a picky SSL client complaining that
>> Apache does not
>> send the certificate chain in the right order (server/CA/root).
>> Is that possible? Doesn't Apache (I am using 2.2.4) honor the RFC?
>
> This is not a matter of httpd but a matter in which order you
> put the certificates of the chain in the chainfile.
> Try changing their order in the chainfile.
>
>
> Regards
>
> Rüdiger
>
>
RE: Certificate chain order not conform to TLS standard
Posted by "Plüm, Rüdiger, VF-Group" <ru...@vodafone.com>.
> -----Original Message-----
> From: Nick Gearls [mailto:nickgearls@gmail.com]
> Sent: Mittwoch, 12. August 2009 16:32
> To: Development Apache
> Subject: Certificate chain order not conform to TLS standard
>
> Hello,
>
> I get problems with a picky SSL client complaining that
> Apache does not
> send the certificate chain in the right order (server/CA/root).
> Is that possible? Doesn't Apache (I am using 2.2.4) honor the RFC?
This is not a matter of httpd but a matter in which order you
put the certificates of the chain in the chainfile.
Try changing their order in the chainfile.
Regards
Rüdiger