I've taken a crack at the odd wording and confusing content and done some more testing:
http://people.apache.org/~covener/sslchain.diff On Mon, Aug 25, 2008 at 8:29 AM, Eric Covener <cove...@gmail.com> wrote: > On Sun, Aug 24, 2008 at 6:35 PM, Eric Covener <cove...@gmail.com> wrote: >> On Wed, Aug 20, 2008 at 12:46 AM, Vincent Bray <nood...@gmail.com> wrote: >>> The second paragraph of this directive's explanation ends "That's >>> usually not one expect." >>> >>> Should that be "That's not usually what one expects."? The next >>> paragraph takes some parsing too. >>> >>> I've no idea what this directive does so thought I'd best ask for >>> clarification :-) >> >> In my testing, the two directives did not overlap at all, namely this >> phrase looks to be incorrect: >> >> "Because although placing a CA certificate of the server certificate >> chain into SSLCACertificatePath has the same effect for the >> certificate chain construction" >> >> >> SSLCACertificatePath does not cause openssl to send intermediate >> certificates during the Server Hello, but SSLCertificateChainFile >> does. >> >> SSLCertificateChainFile is useful if the servers certificate is issued >> by an intermediate certificate authority. if a client trusts the root >> CA, they just might not have a copy of the intermediate cert, but they >> can validate the server-provided intermediate cert against their own >> copy of the root cert, and proceed as if it was trusted. >> >> This is seemingly independent of client authentication, because the >> SSLCertificateChailFile directives doesn't actually add to the list of >> DN's communicated during the client certificiate request (like >> SSLCACertificatePath does) > > This comment, and all the attention in the SSLCertificateChainFile, > implies I'm mis-observing how this works: > > ssl_engine_init.c: > + /* > + * Optionally configure extra server certificate chain certificates. > + * This is usually done by OpenSSL automatically when one of the > + * server cert issuers are found under SSLCACertificatePath or in > + * SSLCACertificateFile. But because these are intended for client > + * authentication it can conflict. For instance when you use a > + * Global ID server certificate you've to send out the intermediate > + * CA certificate, too. When you would just configure this with > + * SSLCACertificateFile and also use client authentication mod_ssl > + * would accept all clients also issued by this CA. Obviously this > + * isn't what we want in this situation. So this feature here exists > + * to allow one to explicity configure CA certificates which are > + * used only for the server certificate chain. > + */ > > > Could just be a change in behavior in openssl, i.e. that certificate > chains for the Server Hello are implicitly constructed/sent just by > virtue of the intermediate certs existing in the servers trust store. > > > > -- > Eric Covener > cove...@gmail.com > -- Eric Covener cove...@gmail.com --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
