Re: [PATCH 4/4] MINOR: ssl: "show ssl cert" command should print the "Chain filename:"
On Wed, Feb 26, 2020 at 11:15:00AM +0100, Emmanuel Hocdet wrote: > Hi, > > > Le 18 févr. 2020 à 17:49, Emmanuel Hocdet a écrit : > >> > >> Yes. Show the chain-filename would be very helpful. > >> For that i think a good way would be to keep ckch->chain and ckch->issuer > >> with value (or NULL) from PEM/, and resolve chain and ocsp_issuer > >> when needed. « show ssl cert » will be able to find the origin of chain > >> (and ocsp_issuer) > >> without store a new state. The drawback(?) is that .issuer file will be > >> loaded, in every case, if present. > >> > > > > > > Patch series to do that: > > > > example: > > Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > > Chain filename: /etc/haproxy/issuers/letsencryptEC.pem > > > > Rebased with current dev branch. > Thanks, applied. I made a cosmetic change in the "show ssl cert" output, and also reworded the commit message a little bit. -- William Lallemand
Re: [PATCH 4/4] MINOR: ssl: "show ssl cert" command should print the "Chain filename:"
Hi,Le 18 févr. 2020 à 17:49, Emmanuel Hocdeta écrit :Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/, and resolve chain and ocsp_issuerwhen needed. « show ssl cert » will be able to find the origin of chain (and ocsp_issuer)without store a new state. The drawback(?) is that .issuer file will be loaded, in every case, if present.Patch series to do that:example:Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3Chain filename: /etc/haproxy/issuers/letsencryptEC.pemRebased with current dev branch.++Manu 0001-MINOR-ssl-move-find-certificate-chain-code-to-its-ow.patch Description: Binary data 0002-MINOR-ssl-resolve-issuers-chain-later.patch Description: Binary data 0003-MINOR-ssl-resolve-ocsp_issuer-later.patch Description: Binary data 0004-MINOR-ssl-show-ssl-cert-command-should-print-the-Cha.patch Description: Binary data
[PATCH 4/4] MINOR: ssl: "show ssl cert" command should print the "Chain filename:"
Hi,Le 18 févr. 2020 à 11:45, Emmanuel Hocdeta écrit :I think we will probably need more information in the "show ssl cert"output in the future so the users can debug this kind of feature easily.Yes. Show the chain-filename would be very helpful.For that i think a good way would be to keep ckch->chain and ckch->issuerwith value (or NULL) from PEM/, and resolve chain and ocsp_issuerwhen needed. « show ssl cert » will be able to find the origin of chain (and ocsp_issuer)without store a new state. The drawback(?) is that .issuer file will be loaded, in every case, if present.Patch series to do that:example:Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3Chain filename: /etc/haproxy/issuers/letsencryptEC.pem++Manu 0001-MINOR-ssl-move-find-certificate-chain-code-to-its-ow.patch Description: Binary data 0002-MINOR-ssl-resolve-issuers-chain-later.patch Description: Binary data 0003-MINOR-ssl-resolve-ocsp_issuer-later.patch Description: Binary data 0004-MINOR-ssl-show-ssl-cert-command-should-print-the-Cha.patch Description: Binary data