On 27.03.2014 20:44, Ruediger Pluem wrote: > Daniel Kahn Gillmor wrote: >> Do we have a robust, free tool that, given a single X.509 EE cert, can do >> automagic fetching and trying of all >> combinations of these things and produce a reasonable PEM-encoded >> SSLCertificateChainFile on stdout?
s/Chain// for 2.4.9 and later (see http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslcertificatefile) >> If we had such a tool, then the detection code in mod_ssl could just >> encourage people to run that tool. > > How about not fixing stuff in mod_ssl but only create a patch for a support > tool > for httpd (like rotatelogs, etc.) that does check a cert chain and tries to > create > a correct one like outlined above such that the admin can take it after > crosschecking > and configure it just like today. I would like to second that. Some adjustments in mod_ssl wrt chain fixing (reordering, dropping self-signed root) is probably fine, but let's not blow up the mod_ssl code unnecessarily. AIA chasing doesn't belong there, IMO. Kaspar