I found that the SSLCertificateChainFile directive was not behaving the same as it has in apache v1.3. According to the verisign, when using a global certificate, you need to use the above directive to provide the client with the Intermediate CA. So, in my old v1.3 configuration I had the following 3 directives: SSLCertificateChainFile ssl.crt/ca.crt SSLCertificateFile ssl.crt/server.crt SSLCertificateKeyFile ssl.key/server.key This doesn't work under apache2 however. The certificate in the chainfile never seems to be presented to the client. Clients were getting presented with the unrecognized signing authority error. According to the comments in the ssl.conf sample config file, you can also point it to the SSLCertificateFile if the intermediate CA is directly appended to the bottom of the file. This did fix the problem. Here's my specs: RH v7.3 openssl-0.9.6b-28 ./configure --prefix=/a01/app/dpxdemo/apache_2.0.43 --enable-mods-shared=all --enable-ssl Thanks, John
I think this is because the boolean skip_first in ssl_init_ctx_cert_chain is mistakenly initialized as TRUE (should be FALSE). This means the first certificate in the SSLCertificateChain file is always ignored. (The intent seems to be to allow the same file to be named in the SSLCertificateFile and SSLCertificateChain file directive. If this is the case, the code assumes the first certificate in the chain file is the SSL server's certificate. This certificate is skipped when adding the extra certificates to the SSL context.) I have tested the attached patch against version 2.0.44 and verified that it causes the SSLCertificateChain directive to work as documented.
I could not create an attachment, so I'll include the patch directly here (it is a one line change). --- modules/ssl/ssl_engine_init.c.bak Mon Jan 13 12:10:55 2003 +++ modules/ssl/ssl_engine_init.c Fri Feb 28 15:30:42 2003 @@ -654,7 +654,7 @@ apr_pool_t *ptemp, modssl_ctx_t *mctx) { - BOOL skip_first = TRUE; + BOOL skip_first = FALSE; int i, n; const char *chain = mctx->cert_chain;
Thanks for confirming that this is the right fix. Your bug report escaped my attention, but Madhu noticed this too back in January, and I reviewed that change with the committer, who agrees it was bogus. We've reverted back to defaulting to *NOT* skip_first as your patch proposed, and all should be well again with 2.0.45.