On 12/22/2013 09:30 AM, Kaspar Brand wrote:
On 11.12.2013 08:16, jkal...@apache.org wrote:
Author: jkaluza
Date: Wed Dec 11 07:16:28 2013
New Revision: 1550060
URL: http://svn.apache.org/r1550060
Log:
mod_ssl: Add -t -DDUMP_CA_CERTS option which dumps the filenames of all
configured SSL CA certificates to stdout the same way as DUMP_CERTS does.
In addition to what Rüdiger noted (on 13 December): are -DDUMP_CERTS and
-DDUMP_CA_CERTS supposed to be mutually exclusive? Right now, specifying
both will have the effect of only outputting the certs (due to the early
return in line 1937).
They were intended to be mutually exclusive, but I admit the current
situation is not optimal. I should have checked for this and do
something smarter than outputting only certs...
Another idea is to interleave server and CA cert information and output
them by the vhost_id, e.g.:
foo.example.net:443
Server: /usr/local/apache2/conf/server-foo.crt
CA: /usr/local/apache2/conf/ssl.crt/ca-bundle-foo.crt
bar.example.net:443
Server: /usr/local/apache2/conf/server-bar.crt
CA: /usr/local/apache2/conf/ssl.crt/ca-bundle-bar.crt
...
Hm, I'm not sure we can change the output format without breaking tools
like certwatch and outputting in this format only when both options are
set would need more complex code. But if people here think we could
change output format of DUMP_CERTS according to example above, I can
create this patch.
And third, could we document -DDUMP_CERTS and -DDUMP_CA_CERTS on this
occasion (either in server/main.c or docs/man/httpd.8)?
I will do that.
Kaspar
Regards,
Jan Kaluza
