Bodo Moeller wrote:
>
> "Ralf S. Engelschall" <[EMAIL PROTECTED]>:
>
> [...]
> >> In SSLeay 0.9.1b, Eric added a function SSL_CTX_add_extra_chain_cert
> >> that allows to cleanly build the chain for the server certificate.
> >> I'm afraid, though, that mod_ssl doesn't use it as of yet.
>
> > What do you suggest for supporting this in mod_ssl, Bodo?
> > Via an explicit SSLCACertChain or whatever directive? Or implicitly?
>
> The behaviour that makes most sense, I think, is if you just have to
> append the CA certificate(s) to the usual certificate file.
Yes that would be a good idea. You shouldn't have to trust a certificate
just to get the server chain sent: indeed you might not want to.
Unless I've misread the source I think the current stuff has just one
set of 'additional certificates' whereas what is needed is one per
certificate type (so it can send a different chain with RSA or DSA
certificates).
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
