Re: svn commit: r1550060 - in /httpd/httpd/trunk: CHANGES modules/ssl/ssl_engine_config.c

Wed, 01 Jan 2014 22:51:29 -0800 

On 12/13/2013 09:54 AM, Ruediger Pluem wrote:



jkal...@apache.org wrote:

Author: jkaluza
Date: Wed Dec 11 07:16:28 2013
New Revision: 1550060

URL: http://svn.apache.org/r1550060
Log:
mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all
configured SSL CA certificates to stdout the same way as DUMP_CERTS does.

Modified:
     httpd/httpd/trunk/CHANGES
     httpd/httpd/trunk/modules/ssl/ssl_engine_config.c




Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: 
http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1550060&r1=1550059&r2=1550060&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Wed Dec 11 07:16:28 2013
@@ -1870,30 +1870,95 @@ const char *ssl_cmd_SSLSRPUnknownUserSee

  #endif /* HAVE_SRP */

-void ssl_hook_ConfigTest(apr_pool_t *pconf, server_rec *s)
+static void dump_ca_cert_file(apr_file_t *out, const char *file) {
+    X509 *rc;
+    BIO *bioS;
+
+    if ((bioS=BIO_new_file(file, "r")) == NULL) {
+        return;
+    }
+
+    /* ca_cert_file is loaded using SSL_load_client_CA_file(). This method
+     * loads only file of PEM formatted certificates, so we have to load
+     * only PEM here too, to stay consistent.
+     */
+    rc = PEM_read_bio_X509 (bioS, NULL, NULL, NULL);
+    BIO_free(bioS);
+    if (rc) {
+        apr_file_printf(out, "  %s\n", file);


Hm, do I miss the point or why don't we print out anything from the cert we 
just loaded and just the filename?
Do we just want to know if the cert file loads?



At first sorry for late response, I was away during Christmas time. The 
idea was to stay consistent with what DUMP_CERTS does, so DUMP_CA_CERTS 
prints only filename of the cert so it can be later passed to certwatch.



I'm trying to load the certificate to find out if it's valid. I think 
this has to be done, because you can use SSLCACertificatePath to set 
path to directory containing CA certificates and to print really only 
valid certificates from this directory, we have to actually try to load 
them and ignore those which can't be loaded.



This is not done for DUMP_CERTS, because there is no directory 
equivalent of SSLCertificateFile (which is logical).



If we presume that directory specified by SSLCACertificatePath contains 
only valid certificates and no other files, we could remove that 
validity check and just print filenames of all files in that directory.



Regards

Rüdiger



Regards,
Jan Kaluza























					Reply via email to