Dr Stephen Henson schrieb:
>
> Richard Levitte - VMS Whacker wrote:
> >
> > amoskoff> After reading the archive and modssl FAQ I have almost everything
>working.
> > amoskoff> But there is one question. I order to use the CApath in the function
> > amoskoff> ``SSL_CTX_load_verify_locations'' you have to generate a hash value and
> > amoskoff> do the appropriate symbolic link. What I don't understand is why this
>doesn't
> > amoskoff> work until I append a ``.0'' to the file? What is the significance of
>this?
> >
> > The file name has to be in the format {hash}.{s/n}, where {s/n} is the
> > certificate serial number. Most often, that is simply 0. I haven't
> > quite understood yet how it would ever get any other number there, at
> > least automagically...
> >
>
> Well its not the certificate serial number as in the serial number of
> the certificate :-)
>
> I think the idea is that the actual hash value is quite short so it is
> conceivable that two distinct certificates will have the same hash.
The hash is calculated from the subject's name, which reasonable since
the
taks is: find the cert of the _issuer_ of my cert, which looks for a
_subject_ of another cert.
> There are 2^32 possible hash values but there is a reasonably chance of
> a collision with relatively small numbers of certificates. If I recall
> what I briefly read somewhere about the "birthday attack" you'd need
> 2^16 certificates to have a 50% probability of a collision... someone
> please correct me if I've got that wrong.
you are right.
> The final number is, I guess, there as a way to represent several certs
> with the same hash value. Having said that it doesn't seem to be
> implemented properly.
Hmmm... I extensively played with this once upon the time (around 0.6.x
or so) and it worked then. The ability to represent different certs
with the same hash value is vital if you adopt a strategy of 2 years
CA cert validity, 1 year active usage and overlapping validity.
> The whole hash thing is IMHO a bit of a hack anyway, it relies on
> symbolic links which wont work under e.g. Windows and it can only look
You don't need symbolic links, you can hold actual copies, although it's
more difficult then to maintain consitency.
> up by a broken hash calculation on subject name.
But the subject name is all you have, when you look for an issuer...
--
Holger Reif Tel.: +49 361 74707-0
SmartRing GmbH Fax.: +49 361 7470720
Europaplatz 5 [EMAIL PROTECTED]
D-99091 Erfurt WWW.SmartRing.de
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
