On 2015-06-15 03:36, Gregg Smith wrote: > On 6/14/2015 6:14 PM, Gregg Smith wrote: >> On 6/14/2015 2:56 PM, Yann Ylavic wrote: >>> On Sun, Jun 14, 2015 at 1:31 PM, Gregg Smith<g...@gknw.net> wrote: >>>> http://people.apache.org/~gsmith/proposal/sslcertificatechainfile_compromise.diff >>> I'm fine with this approach too. >>> We have to decide whether a single [warn] is acceptable or not since >>> it may still confuse startup monitors, which was a point raised in the >>> [Vote] thread. >>> I agree that the current patch proposed in STATUS is nearly the same >>> as not noticing the user since it requires -e info in the command-line >>> for anything to be visible, but I'm afraid any warning won't be >>> accepted now... >> >> It's a lose/lose situation either way. I didn't pick up on the startup >> monitors part of the thread. >> >> We are almost back to the way it was before the warning, I guess this is >> fine. No will know the better unless they go fishing for some other problem >> that may arise. At the very minimum it's something at least, should not make >> waves and i would bet everyone knows about it now unless 2.4.15 is their >> first. > > If this is their first, probably ought to remove this in httpd-ssl.conf also > > # Server Certificate Chain: > # Point SSLCertificateChainFile at a file containing the > # concatenation of PEM encoded CA certificates which form the > # certificate chain for the server certificate. Alternatively > # the referenced file can be the same as SSLCertificateFile > # when the CA certificates are directly appended to the server > # certificate for convenience. > #SSLCertificateChainFile "@rel_sysconfdir@/server-ca.crt" >
It is a valid statement, so I think it would be better to keep it and replace the description with something like # This directive is deprecated, please concatenate the # intermediate CA to the SSLCertificateFile. #SSLCertificateChainFile "@rel_sysconfdir@/server-ca.crt" As a side note, even I've read the Release Notes I was thankful to see my console was trashed with the deprecation warning ;) What I miss is a section on httpd.apache.org/docs/2.4/ with a link list what has changed since which release. For example there are section "New features with Apache .." and "Upgrading to 2.4 from 2.2" but no section like Deprecated / Important changes between 2.4.x and 2.4.y - mod_cgi: use of the magic mime-type is deprecated - mod_ssl: SSLCertificateChainFile is deprecated SSLRequire is deprecated - mod_ldap: (ldaps://) support has been deprecated to be replaced with TLS - mod_access_compat: deprecated by the new authz refactoring - ... I'm really not a good technical writer, but if such a list is welcome I will try to do my best to send a patch