On 12/13/2013 09:54 AM, Ruediger Pluem wrote:
jkal...@apache.org wrote:
Author: jkaluza
Date: Wed Dec 11 07:16:28 2013
New Revision: 1550060
URL: http://svn.apache.org/r1550060
Log:
mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all
configured SSL CA certificates to stdout the same way as DUMP_CERTS does.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL:
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1550060&r1=1550059&r2=1550060&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Dec 11 07:16:28 2013
@@ -1870,30 +1870,95 @@ const char *ssl_cmd_SSLSRPUnknownUserSee
#endif /* HAVE_SRP */
-void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
+static void dump_ca_cert_file(apr_file_t *out, const char *file) {
+ X509 *rc;
+ BIO *bioS;
+
+ if ((bioS=BIO_new_file(file, "r")) == NULL) {
+ return;
+ }
+
+ /* ca_cert_file is loaded using SSL_load_client_CA_file(). This method
+ * loads only file of PEM formatted certificates, so we have to load
+ * only PEM here too, to stay consistent.
+ */
+ rc = PEM_read_bio_X509 (bioS, NULL, NULL, NULL);
+ BIO_free(bioS);
+ if (rc) {
+ apr_file_printf(out, " %s\n", file);
Hm, do I miss the point or why don't we print out anything from the cert we
just loaded and just the filename?
Do we just want to know if the cert file loads?
At first sorry for late response, I was away during Christmas time. The
idea was to stay consistent with what DUMP_CERTS does, so DUMP_CA_CERTS
prints only filename of the cert so it can be later passed to certwatch.
I'm trying to load the certificate to find out if it's valid. I think
this has to be done, because you can use SSLCACertificatePath to set
path to directory containing CA certificates and to print really only
valid certificates from this directory, we have to actually try to load
them and ignore those which can't be loaded.
This is not done for DUMP_CERTS, because there is no directory
equivalent of SSLCertificateFile (which is logical).
If we presume that directory specified by SSLCACertificatePath contains
only valid certificates and no other files, we could remove that
validity check and just print filenames of all files in that directory.
Regards
Rüdiger
Regards,
Jan Kaluza