On Mon, Jun 15, 2015 at 10:54 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> On Mon, Jun 15, 2015 at 8:12 AM, Eric Covener <cove...@gmail.com> wrote: > >> Anyone else inclined to just remove the message? It's a deprecation that >> didn't happen on a release boundary. AFAICT there's no reason to change how >> you run your server unless you use two different cert chains and then you'd >> find the info in the manual. >> > > +1, this is highly irregular. Our general statement is that config > changes are not strictly necessary on subversion updates of httpd. > (Securing your SSLCipherList notwithstanding.) > > Bill > +1, but IMO the whole idea should be revisited. Storing intermediate certificates separately is a problem when you have multiple certificates with different algorithms. (Which server cert(s) do/does the intermediate cert file go with?) For cases where there's no ambiguity, we have a trade-off between 1) being able to get rid of the directive since the intermediate certs don't necessarily need to be stored separately 2) a future migration headache, if not nightmare, for sites with many vhosts where different users manage the certs We need to favor #2. For cases where there is an ambiguity, we should deprecate being able to configure that, and visibly warn that there's a likely problem ASAP. -- Born in Roswell... married an alien... http://emptyhammock.com/
