Github user shinrich commented on the pull request:
https://github.com/apache/trafficserver/pull/578#issuecomment-212078480
Well looking at the existing tests anyway told me that my initial solution
was wrong. We are moving into the area where behavior changes between 1.0.2
and 1.0.1. I just spent a couple hours with my 1.0.2 build and got this
scenario working correctly in 1.0.2 (only return the cipher appropriate main
cert (true in 1.0.1 and 1.0.2) and only return cipher appropriate intermediate
cert (true only for 1.0.2 in 1.0.1 all intermediate certs will be returned
regardless of cipher type because there is only one chain)).
The existing test checks for the number of certs returned in the chain and
expects 2. This is true in the original code because we only ever added the
first cert in the ssl_ca_name list. This series of code fixes changes this
logic and the behavior changes depending on which openssl version is in use.
For 1.0.1 three certs will be in the chain (base cert and both intermediates).
For 1.0.2 two certs will be in the chain (base cert and intermediate of the
appropriate type).
@jacksontj do we specify different versions of openssl to test against? Or
should we make our test results conditional based on the version that happens
to be present in the test environment.
Also, should these decisions be made compile time? Or should we try to be
clever at run time and use the 1.0.2 support if we are linking against 1.0.2
and gracefully fallback to the 1.0.1 API otherwise.
For the moment, I'll add compile time checks and push my changes up.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at infrastruct...@apache.org or file a JIRA ticket
with INFRA.
---
