[
https://issues.apache.org/jira/browse/TS-3027?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Alan M. Carroll updated TS-3027:
--------------------------------
Fix Version/s: 5.1.0
> Hashed SSL Intermediate Server Certs not recognized
> ---------------------------------------------------
>
> Key: TS-3027
> URL: https://issues.apache.org/jira/browse/TS-3027
> Project: Traffic Server
> Issue Type: Bug
> Components: SSL
> Reporter: Steven Feltner
> Fix For: 5.1.0
>
> Attachments: HashedSSL.patch
>
>
> Tested on:
> CentOS 6.5 x86_64
> trafficserver-5.0.1
> Pertinent Config Values:
> CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
> #CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt
> CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local
> (with and without CA.cert.filename configured)
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.client.verify.server INT 0
> c_rehash (from OpenSSL) called from command line to create hash symlinks
> Currently, SSL_CTX_load_verify_locations is only called in two cases:
> if (params->clientCertLevel != 0) {
> and
> if (params->clientVerify) {
> Attached patch will create a precedence such that:
> if ssl_ca_name= is configured in ssl_multicert.config
> use that to build the cert chain
> else if proxy.config.ssl.CA.cert.filename is configured (along with
> proxy.config.ssl.CA.cert.path)
> use that file to build the chain
> else if proxy.config.ssl.CA.cert.path is configured (and
> proxy.config.ssl.CA.cert.filename is NULL)
> use the hashed symlinks in that directory to build the chain
> else
> error out because we don't have the right configuration to build the chain
--
This message was sent by Atlassian JIRA
(v6.2#6252)
