On 01/05/2014 11:10 AM, Kaspar Brand wrote:
On 02.01.2014 07:49, Jan Kaluza wrote:
At first sorry for late response, I was away during Christmas time. The
idea was to stay consistent with what DUMP_CERTS does, so DUMP_CA_CERTS
prints only filename of the cert so it can be later passed to certwatch.
I'm trying to load the certificate to find out if it's valid. I think
this has to be done, because you can use SSLCACertificatePath to set
path to directory containing CA certificates and to print really only
valid certificates from this directory, we have to actually try to load
them and ignore those which can't be loaded.
Checking for file contents shouldn't happen at this place, I think. As
the comments in the sources say, ssl_hook_ConfigTest is supposed to
"Dump the filenames of all configured ... certificates to stdout".
Suppressing a file name if the file doesn't include a PEM block with a
certificate makes the output rather confusing, IMO.
I think I have no problem with changing the code to work as you
describe. I've only thought the way it works now is better, because
otherwise httpd could dump some files which it does not consider later.
This could be confusing as well.
If we presume that directory specified by SSLCACertificatePath contains
only valid certificates and no other files, we could remove that
validity check and just print filenames of all files in that directory.
The files in that directory are accessed via their OpenSSL subject name
hashes, i.e. OpenSSL will look for file names like 5e5a5bcb.0 etc. It's
therefore rather misleading if -DDUMP_CA_CERTS dumps all files in a
directory, only based on whether their contents include at least one PEM
block with BEGIN/END CERTIFICATE.
Hm, I think when I was testing that in December it definitely worked
with different filenames too. I will give it a try again, but if it's
like that, my current code is wrong and needs change definitely.
Maybe it would help if you could come up with a short description of
what problem you're trying to solve (apparently it's driven by RFEs for
certwatch, from what I understand, but it's not clear to me what exactly
you're trying to achieve).
The problem I'm trying to solve is that there are admins with websites
which requires the users accessing the website to have client
certificates signed by certain CAs. There was an incident where a CA
re-issued their signing cert because the old one was expiring. The admin
didn't know this, so when the old certificate expired, all users whose
certificates were signed by that CA could no longer get in because they
had not updated the cert for that CA.
If httpd had a "-DDUMP_CA_CERTS" option, they could use certwatch or
similar tool to be warned before CA cert expires.
Kaspar
Regards,
Jan Kaluza
