On 19/02/2014 20:17, Jeff Trawick wrote: > On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson > <shen...@opensslfoundation.com <mailto:shen...@opensslfoundation.com>> wrote: > > That works for two cases above. If however the on the fly chain building > is > performed it will fail. > > > Perhaps this is naive, but it may be reasonable for now to require that the > log > have access to the certificates required to perform the same "on the fly" > chain > building as the server, in the case where a chain is not configured. >
That sort of relates to a separate(ish) mechanism in 1.0.2. I've never been happy with the "on the fly" chain building. It's inefficient (building the chain on every connection), has no error mechanism if the chain cannot be completely built (which would be useful as an error indication: missing intermediate CA certificates in server configuration often cause problems) and it uses the verification store (which is also used for client authentication). I'd be happy if httpd moved to a more robust mechanism. In OpenSSL 1.0.2 there is a technique which might be usable here. You can set a separate chain store which is only used for chain building. You can also make an explicit call to SSL_CTX_build_cert_chain and it will build the chain internally for the current certificate and store it for later use. So to handle this typically you'd set up the chain store, call SSL_CTX_built_cert_chain once on every configured certificate and return an error condition on failure. The SSL_CTX would then have the chain set up correctly for each configured certificate in the correct order with no way misconfiguration could get it wrong. Steve. -- Dr Stephen Henson. OpenSSL Software Foundation, Inc. 1829 Mount Ephraim Road Adamstown, MD 21710 +1 877-673-6775 shen...@opensslfoundation.com