On 23.02.2014 09:03, Kaspar Brand wrote:
On 22.02.2014 19:17, Falco Schwarz wrote:
Kaspar, I switched back to your version and realized, that the directive
SSLCertificateChainFile was always used in a VirtualHost.
If the directive is in server scope, the warning is written correctly.
On 22.02.2014 19:17, Falco Schwarz wrote:
Kaspar, I switched back to your version and realized, that the directive
SSLCertificateChainFile was always used in a VirtualHost.
If the directive is in server scope, the warning is written correctly.
On 20.02.2014 21:37, Falco Schwarz wrote:
As I read through the changed code I found a smaller issue with the
deprecation warning of SSLCertificateChainFile:
+ ap_log_error(APLOG_MARK, APLOG_WARNING|APLOG_STARTUP, 0, cmd-server,
+ APLOGNO(02559)
+ The SSLCertificateChainFile directive
Perhaps I am missing something here, but if it is printed to stderr I should
see it in the console when starting, right? Because I am unable to see it
anywhere.
Even when reloading or restarting it is not written to the error log.
It does not show up with -t either. Any clues?
Date: Sat, 22
On 22.02.2014 11:06, Falco Schwarz wrote:
Perhaps I am missing something here, but if it is printed to stderr I should
see it in the console when starting, right? Because I am unable to see it
anywhere.
Even when reloading or restarting it is not written to the error log.
It does not show
Date: Sat, 22 Feb 2014 11:22:14 +0100
Does your current config still include an SSLCertificateChainFile directive?
Kaspar
Yes, for testing I am currently using these directives (without comment):
SSLCertificateFile conf/ssl/foo.bar.cer # leaf only
SSLCertificateKeyFile
On 22.02.2014 11:27, Falco Schwarz wrote:
Yes, for testing I am currently using these directives (without comment):
SSLCertificateFile conf/ssl/foo.bar.cer# leaf only
SSLCertificateKeyFile conf/ssl/foo.bar.key# key only
SSLCertificateChainFile conf/ssl/foo.bar.ca # chain
Date: Sat, 22 Feb 2014 15:16:27 +0100
The only explanation I can imagine then is that your mod_ssl.so / httpd
binary does not include the complete mod_ssl-2.4.x-certkeyfile-v3.diff
patch. Does strings mod_ssl.so | grep AH02559 show any output?
Kaspar
Unfortunately yes. I checked out a
Kaspar, I switched back to your version and realized, that the directive
SSLCertificateChainFile was always used in a VirtualHost.
If the directive is in server scope, the warning is written correctly.
Date: Thu, 20 Feb 2014 07:35:01 +0100
That's part of the mod_ssl backport proposal currently in 2.4.x/STATUS.
(A previous version had a vote from jorton, but I'm not sure if he's
willing to refresh that... perhaps people feel uneasy with getting this
into 2.4.8? A third vote would be needed
On Tue, Feb 18, 2014 at 5:00 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 18/02/2014 20:06, Jeff Trawick wrote:
On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson
shen...@opensslfoundation.com
mailto:shen...@opensslfoundation.com wrote:
On 02/02/2014 13:45, Kaspar
On 19/02/2014 18:37, Jeff Trawick wrote:
I think this is the trick...
+rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
+while (rc) {
+x = SSL_CTX_get0_certificate(ctx);
+if (x) {
+chain = NULL;
+SSL_CTX_get0_chain_certs(ctx,
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 19/02/2014 18:37, Jeff Trawick wrote:
I think this is the trick...
+rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST);
+while (rc) {
+x = SSL_CTX_get0_certificate(ctx);
On 19/02/2014 20:17, Jeff Trawick wrote:
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
On 19/02/2014 18:37, Jeff Trawick wrote:
I think this is the trick...
+rc =
On 19/02/2014 20:17, Jeff Trawick wrote:
On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson
shen...@opensslfoundation.com mailto:shen...@opensslfoundation.com wrote:
That works for two cases above. If however the on the fly chain building
is
performed it will fail.
Perhaps
On 19.02.2014 20:23, Dr Stephen Henson wrote:
However for that to work it needs application support either explicitly by
using
SSL_CTX_add0_chain_cert or via the use of SSL_CTX_use_cetificate_chain_file
which uses this transparently in OpenSSL 1.0.2. I just checked and httpd
currently
On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 02/02/2014 13:45, Kaspar Brand wrote:
On 01.02.2014 14:37, Dr Stephen Henson wrote:
I'm wondering how that could be avoided. Would a way to enumerate all
certificates in an SSL_CTX structure in
On 18/02/2014 20:06, Jeff Trawick wrote:
On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson
shen...@opensslfoundation.com
mailto:shen...@opensslfoundation.com wrote:
On 02/02/2014 13:45, Kaspar Brand wrote:
On 01.02.2014 14:37, Dr Stephen Henson wrote:
I'm wondering how that
On 02/02/2014 13:45, Kaspar Brand wrote:
On 01.02.2014 14:37, Dr Stephen Henson wrote:
I'm wondering how that could be avoided. Would a way to enumerate all
certificates in an SSL_CTX structure in OpenSSL help? Something like
SSL_CTX_get0_first_certificate() and
On 01.02.2014 14:37, Dr Stephen Henson wrote:
I'm wondering how that could be avoided. Would a way to enumerate all
certificates in an SSL_CTX structure in OpenSSL help? Something like
SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certificate(). That
would
also set the current
On 01/02/2014 07:43, Kaspar Brand wrote:
Steve, I'm using this opportunity for a short reminder about [1] - any
comments about that? Should we try to get this into 2.4.8?
Kaspar
[1]
https://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3c52cc3c0d.1030...@velox.ch%3E
On 01/02/2014 07:43, Kaspar Brand wrote:
Steve, I'm using this opportunity for a short reminder about [1] - any
comments about that? Should we try to get this into 2.4.8?
On the subject of reminders and SSL_CONF. The code that handles SSL_CONF has
something which manually checks for the
On 01.02.2014 13:21, Dr Stephen Henson wrote:
On 01/02/2014 07:43, Kaspar Brand wrote:
https://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3c52cc3c0d.1030...@velox.ch%3E
IMHO, yes.
Ok, committed to trunk with r1563420 and proposed for backport to 2.4.x
in r1563421.
On 30.01.2014 22:51, Jeff Trawick wrote:
On Thu, Jan 30, 2014 at 2:37 PM, Dr Stephen Henson
I wasn't sure of the details of the current implementation either. Would
it be
appropriate to have SSL_CONF usable with SSLProxy* too?
Surely yes is the answer; i.e., there is or will be some
On 29.01.2014 19:15, Graham Leggett wrote:
On 29 Jan 2014, at 16:24, kbr...@apache.org wrote:
URL: http://svn.apache.org/r1562500
Log:
propose SSLCertificate[Key]File/SSLCertificateChainFile overhaul for mod_ssl
Would it be possible to do the same for the SSLProxy* directives?
I think so.
On 30/01/2014 18:25, Kaspar Brand wrote:
On 29.01.2014 19:15, Graham Leggett wrote:
On 29 Jan 2014, at 16:24, kbr...@apache.org wrote:
URL: http://svn.apache.org/r1562500
Log:
propose SSLCertificate[Key]File/SSLCertificateChainFile overhaul for mod_ssl
Would it be possible to do the same
On Thu, Jan 30, 2014 at 2:37 PM, Dr Stephen Henson
shen...@opensslfoundation.com wrote:
On 30/01/2014 18:25, Kaspar Brand wrote:
On 29.01.2014 19:15, Graham Leggett wrote:
On 29 Jan 2014, at 16:24, kbr...@apache.org wrote:
URL: http://svn.apache.org/r1562500
Log:
propose
On 29 Jan 2014, at 16:24, kbr...@apache.org wrote:
Author: kbrand
Date: Wed Jan 29 16:24:43 2014
New Revision: 1562500
URL: http://svn.apache.org/r1562500
Log:
propose SSLCertificate[Key]File/SSLCertificateChainFile overhaul for mod_ssl
Would it be possible to do the same for the
28 matches
Mail list logo