On Wed, Aug 20, 2008 at 12:46 AM, Vincent Bray <[EMAIL PROTECTED]> wrote: > The second paragraph of this directive's explanation ends "That's > usually not one expect." > > Should that be "That's not usually what one expects."? The next > paragraph takes some parsing too. > > I've no idea what this directive does so thought I'd best ask for > clarification :-)
In my testing, the two directives did not overlap at all, namely this phrase looks to be incorrect: "Because although placing a CA certificate of the server certificate chain into SSLCACertificatePath has the same effect for the certificate chain construction" SSLCACertificatePath does not cause openssl to send intermediate certificates during the Server Hello, but SSLCertificateChainFile does. SSLCertificateChainFile is useful if the servers certificate is issued by an intermediate certificate authority. if a client trusts the root CA, they just might not have a copy of the intermediate cert, but they can validate the server-provided intermediate cert against their own copy of the root cert, and proceed as if it was trusted. This is seemingly independent of client authentication, because the SSLCertificateChailFile directives doesn't actually add to the list of DN's communicated during the client certificiate request (like SSLCACertificatePath does) -- Eric Covener [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
