Description
Tested on:
CentOS 6.5 x86_64
trafficserver-5.0.1
Pertinent Config Values:
CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
#CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt
CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local
(with and without CA.cert.filename configured)
CONFIG proxy.config.ssl.client.certification_level INT 0
CONFIG proxy.config.ssl.client.verify.server INT 0
c_rehash (from OpenSSL) called from command line to create hash symlinks
Currently, SSL_CTX_load_verify_locations is only called in two cases:
if (params->clientCertLevel != 0) {
and
if (params->clientVerify) {
Attached patch will create a precedence such that:
if ssl_ca_name= is configured in ssl_multicert.config
use that to build the cert chain
else if proxy.config.ssl.CA.cert.filename is configured (along with proxy.config.ssl.CA.cert.path)
use that file to build the chain
else if proxy.config.ssl.CA.cert.path is configured (and proxy.config.ssl.CA.cert.filename is NULL)
use the hashed symlinks in that directory to build the chain
else
error out because we don't have the right configuration to build the chain