[
https://issues.apache.org/jira/browse/TS-4180?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15248460#comment-15248460
]
ASF GitHub Bot commented on TS-4180:
------------------------------------
Github user shinrich commented on the pull request:
https://github.com/apache/trafficserver/pull/578#issuecomment-212078480
Well looking at the existing tests anyway told me that my initial solution
was wrong. We are moving into the area where behavior changes between 1.0.2
and 1.0.1. I just spent a couple hours with my 1.0.2 build and got this
scenario working correctly in 1.0.2 (only return the cipher appropriate main
cert (true in 1.0.1 and 1.0.2) and only return cipher appropriate intermediate
cert (true only for 1.0.2 in 1.0.1 all intermediate certs will be returned
regardless of cipher type because there is only one chain)).
The existing test checks for the number of certs returned in the chain and
expects 2. This is true in the original code because we only ever added the
first cert in the ssl_ca_name list. This series of code fixes changes this
logic and the behavior changes depending on which openssl version is in use.
For 1.0.1 three certs will be in the chain (base cert and both intermediates).
For 1.0.2 two certs will be in the chain (base cert and intermediate of the
appropriate type).
@jacksontj do we specify different versions of openssl to test against? Or
should we make our test results conditional based on the version that happens
to be present in the test environment.
Also, should these decisions be made compile time? Or should we try to be
clever at run time and use the 1.0.2 support if we are linking against 1.0.2
and gracefully fallback to the 1.0.1 API otherwise.
For the moment, I'll add compile time checks and push my changes up.
> support for serving multiple intermediate cert chains
> -----------------------------------------------------
>
> Key: TS-4180
> URL: https://issues.apache.org/jira/browse/TS-4180
> Project: Traffic Server
> Issue Type: Improvement
> Components: SSL
> Reporter: Scott Beardsley
> Assignee: Susan Hinrichs
> Labels: yahoo
> Fix For: 6.2.0
>
>
> We would like to serve two different intermediate certificate chains for RSA
> certs and ECDSA certs. Today they are required to be in the same chain. It
> seems the best way would be to modify "ssl_ca_name" (or
> proxy.config.ssl.CA.cert.path) to support a comma-delimited list of
> intermediate files.
> Bonus points if ATS validates that the intermediate chain matches the cert
> being served (and spits out an error if there is a mismatch)!
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
