On 9/6/2011 12:21 AM, Kaspar Brand wrote: > On 05.09.2011 21:59, Daniel Ruggeri wrote: >> could be reused to build a chain for the server-side of mod_ssl (because >> today, the chain certs get presented in whatever order they are in the >> file resulting in unhappy java clients). With a little bit of >> refactoring on the server side, this could be taken care of just as well. > I agree, this is definitely desirable, and we should certainly do it for > trunk. As suggested by Steve, we shouldn't simply ignore all > X509_verify_cert errors in this case, too. Something like > modssl_check_cert(), which returns a proper chain on success, would be > my idea. > >> I've made a few adjustments and built/tested the snippet below. Works >> well, though in my test cases I can't tell if the chain is being sent or >> not (suggestions on how to verify?). > If you have a proxied server which runs httpd/mod_ssl, then you can use > the SSLOptions +ExportCertData, and look for the SSL_CLIENT_CERT_CHAIN_n > environment vars. >
My usage tests pass muster with the approach we have discussed, so I have updated trunk and the 2.2 backport proposal. At this point, I am satisfied with this particular patch, though I won't lose sight of the server-side issue. Since the patch should now be complete, I have given my vote in the 2.2 STATUS file and would appreciate any further review/votes. -- Daniel Ruggeri
