On 18/08/2012 08:00, Kaspar Brand wrote: > On 17.8.12 13:59, [email protected] wrote: >> Author: jorton >> Date: Fri Aug 17 11:59:45 2012 >> New Revision: 1374214 >> >> URL: http://svn.apache.org/viewvc?rev=1374214&view=rev >> Log: >> * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fix test for >> missing decrypted private keys, and ensure that the keypair matches. > > [...] > >> @@ -1412,6 +1421,8 @@ static void ssl_init_proxy_certs(server_ >> ssl_die(s); >> } >> >> + /* ### Why is all the following done? Why is it necessary or >> + * useful for the server to try to verify its own client cert? */ > > It's the somewhat surprising way to let OpenSSL build the chain of the > client cert, cf. > > http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%[email protected]%3E > http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%[email protected]%3E > http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%[email protected]%3E >
Though this quirk has been addressed in the current development version of OpenSSL. It's now possible to set certificate chains on a per-type and per-SSL context basis, instead of one per parent SSL_CTX. The functionality is likely to be back ported to OpenSSL 1.0.2. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 [email protected]
