Summary: | SSLCertificateChainFile behaviour different or broken vs. apache v1.3.x | ||
---|---|---|---|
Product: | Apache httpd-2 | Reporter: | John Koyle <jkoyle> |
Component: | mod_ssl | Assignee: | Apache HTTPD Bugs Mailing List <bugs> |
Status: | CLOSED FIXED | ||
Severity: | normal | ||
Priority: | P3 | ||
Version: | 2.0.43 | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | Linux |
Description
John Koyle
2002-11-14 19:26:26 UTC
I think this is because the boolean skip_first in ssl_init_ctx_cert_chain is mistakenly initialized as TRUE (should be FALSE). This means the first certificate in the SSLCertificateChain file is always ignored. (The intent seems to be to allow the same file to be named in the SSLCertificateFile and SSLCertificateChain file directive. If this is the case, the code assumes the first certificate in the chain file is the SSL server's certificate. This certificate is skipped when adding the extra certificates to the SSL context.) I have tested the attached patch against version 2.0.44 and verified that it causes the SSLCertificateChain directive to work as documented. I could not create an attachment, so I'll include the patch directly here (it is a one line change). --- modules/ssl/ssl_engine_init.c.bak Mon Jan 13 12:10:55 2003 +++ modules/ssl/ssl_engine_init.c Fri Feb 28 15:30:42 2003 @@ -654,7 +654,7 @@ apr_pool_t *ptemp, modssl_ctx_t *mctx) { - BOOL skip_first = TRUE; + BOOL skip_first = FALSE; int i, n; const char *chain = mctx->cert_chain; Thanks for confirming that this is the right fix. Your bug report escaped my attention, but Madhu noticed this too back in January, and I reviewed that change with the committer, who agrees it was bogus. We've reverted back to defaulting to *NOT* skip_first as your patch proposed, and all should be well again with 2.0.45. |