Paul Rubin <[EMAIL PROTECTED]>:
> Hi, I'm trying to install a GlobalID into the c2 Stronghold server,
> which uses ssleay (forerunner of openssl).
> I'm having a lot of trouble and found some messages about GlobalID's
> in the sw-mod-ssl and openssl-users archives so I thought I'd ask for
> advice here. The problem is that the GSID is delivered as two
> separate certificates that need to be chained. There is the GSID
> itself and an intermediate cert that signs it. [...]
SSLeay will automatically insert the CA certificate into the chain
sent to the client if it is told to accept that CA for client (!)
verification. So if the SSLCACertificateFile points to it, things
hopefully work out as desired (this approach has problems, though,
if you really want to do client authentication, because then you
probably don't want to give access to anyone who has a certificate
from that CA).
In SSLeay 0.9.1b, Eric added a function SSL_CTX_add_extra_chain_cert
that allows to cleanly build the chain for the server certificate.
I'm afraid, though, that mod_ssl doesn't use it as of yet.
> Finally is there a way to get s_client to dump more info about the
> certificates it sees, such as their fingerprints, expiration dates,
> etc.?
If you get a current OpenSSL snapshot (not the released version
0.9.2b), then you can use the new s_client option "-showcerts" to
print all certificates from the server's chain in the usual base64
encoding. Then you can look at them in readable form by saving each
certificate into a file and using "openssl x509 -text -in filename".
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
