GOMEZ Henri wrote:
>>I thought the problem was that mod_ssl only passes the one cert. If it
>>somehow allows access to the whole chain, then definitely ...
>>you could
>>cache it like TC4. I'd be willing to help with that =)
>>
>
> As i said previously we only forward SSL_CLIENT_CERT,
> and to have all you'll have to pass also SSL_CLIENT_CERT_CHAIN0,
> SSL_CLIENT_CERT_CHAIN1, SSL_CLIENT_CERT_CHAIN2....
>
> Many bytes to be forwared each time isn't it ?
>
Well, as Craig points out, you need some kind of notification from
mod_ssl that differenitates between an initial SSL request and all
subsequent requests from that session. Then, you could simply forward
the whole chain the first time only. Unless you can get that kind of
info from Apache, then yes, I agree that forward the whole chain with
every request is not good, and you should just forward the client cert.
- Christopher
/**
* Pleurez, pleurez, mes yeux, et fondez vous en eau!
* La moitié de ma vie a mis l'autre au tombeau.
* ---Corneille
*/
