[jira] [Commented] (TS-3027) Hashed SSL Intermediate Server Certs not recognized

Fri, 22 Aug 2014 13:03:00 -0700 

    [ 
https://issues.apache.org/jira/browse/TS-3027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14107399#comment-14107399
 ] 

ASF subversion and git services commented on TS-3027:
-----------------------------------------------------

Commit 99fabae491897a3aa1005a77d70b6b3ed0b75287 in trafficserver's branch 
refs/heads/master from [[email protected]]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=99fabae ]

Add TS-3027 to CHANGES


> Hashed SSL Intermediate Server Certs not recognized
> ---------------------------------------------------
>
>                 Key: TS-3027
>                 URL: https://issues.apache.org/jira/browse/TS-3027
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Steven Feltner
>            Assignee: James Peach
>             Fix For: 5.1.0
>
>         Attachments: HashedSSL.patch
>
>
> Tested on: 
> CentOS 6.5 x86_64
> trafficserver-5.0.1
> Pertinent Config Values:
> CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
> #CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt
> CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local
> (with and without CA.cert.filename configured)
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.client.verify.server INT 0
> c_rehash (from OpenSSL) called from command line to create hash symlinks
> Currently, SSL_CTX_load_verify_locations is only called in two cases:
> if (params->clientCertLevel != 0) {
> and
> if (params->clientVerify) {
> Attached patch will create a precedence such that:
> if ssl_ca_name= is configured in ssl_multicert.config
>   use that to build the cert chain
> else if proxy.config.ssl.CA.cert.filename is configured (along with 
> proxy.config.ssl.CA.cert.path)
>   use that file to build the chain
> else if proxy.config.ssl.CA.cert.path is configured (and 
> proxy.config.ssl.CA.cert.filename is NULL)
>   use the hashed symlinks in that directory to build the chain
> else
>   error out because we don't have the right configuration to build the chain



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to