https://bz.apache.org/bugzilla/show_bug.cgi?id=57600
--- Comment #5 from Kaspar Brand <[email protected]> --- (In reply to Yann Ylavic from comment #4) > Hmm ok, maybe your trick from [1] with SSLCertificateChainFile then? The technique mentioned in bug 56073 comment 1 doesn't work either, I'm afraid. OpenSSL's auto-chainbuilding kicks whenever it sees a cert with no extra certs configured (see the code referenced in comment 1 above). Note that the RFC doesn't explicitly "forbid" sending the root in the handshake, it says "... MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case". Lobbying with the OpenSSL guys for making SSL_MODE_NO_AUTO_CHAIN configurable via SSL_CONF (i.e. via "SSLOpenSSLConfCmd Options ...") would seem like the best way to escape further tweaking in mod_ssl. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
