Re: TLS wishlist: Chained SSL certificates

[James Peach <jp...@apache.org>]

On Feb 24, 2014, at 3:50 PM, Reindl Harald <h....@thelounge.net> wrote:

> 
> 
> Am 25.02.2014 00:42, schrieb James Peach:
>> On Jan 31, 2014, at 9:14 AM, Reindl Harald <h....@thelounge.net> wrote:
>> 
>>> one thing would be fine too
>>> 
>>> * having a PEM file with Cert/Key/Intermediate-CA
>>> * in that case no need for "ssl_ca_name" in "ssl_multicert.config"
>>> 
>>> the valid usecase here is that the wildcard-cert we are using starting
>>> with 2014/01 is used for mail, http and whatnot - dovecot has no config
>>> for the CA file, so the PEM file contains already the full chain which
>>> looks like at the bottom
>>> 
>>> in case of different certs from different CA's used for different
>>> services this my make things less error-prone, not a big deal, only
>>> a wish if someone has the knowledge and is willing to implement it
>> 
>> I think that this should be straightforward. I even have a comment in the code saying that using a different OpenSSL API would make this work. Does this patch work?
> 
> thanks for feedback, sadly i am out of test environments for that because
> the testservers are all using self-signed certificates with no CA
> 
> for the moment i can apply that to 4.2.0 RC0 and verify normal TLS
> operations and as soon 4.20 is out test it on the production machine
> which for now only has one more or less testing domain for TLS

https://issues.apache.org/jira/browse/TS-2649

This is fixed for the 5.1 release.

J