https://bz.apache.org/bugzilla/show_bug.cgi?id=65169
--- Comment #13 from Joe Orton <[email protected]> --- Interesting note from testing: when looking at SSL_CLIENT_CERT_CHAIN_* these are really the "set of certificates in the cert chain sent by the client" and *not* the set of certificates in the verified cert chain as built up by OpenSSL/mod_ssl. So the client could send (client cert A, unrelated CA cert B, unrelated CA cert C), and certs B&C show up in _CERT_CHAIN_0&1 even if (A, CA X, CA Y, CA Z) was the actual client cert chain built and verified by OpenSSL. The mod_ssl docs merely describe this _CHAIN_n as: "PEM-encoded certificates in client certificate chain" which is ambiguous. Does Tomcat present/expect anything in particular here? We could switch to the alternate OpenSSL 1.1.0 API SSL_get0_verified_chain(): https://www.openssl.org/docs/man1.1.0/man3/SSL_get0_verified_chain.html which seems a more sensible/useful way to do it, except there is a possible behaviour difference here in the case where the client cert is *not* verified successfully, in which case we may not get a complete chain. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
