Hi again. The following is my own opinion, and does not reflect an upstream consensus.
On Thu, 14 Nov 2013 18:40:30 +0100 Roland Koebler <r.koeb...@yahoo.de> wrote: > Hi, > > > This is a loop. > yes and no: It's not exactly a loop, since the two certificates belong > to certificate-chains of two different certificates, in this case: > > Cert1 signed by PositiveSSL CA 2 > PositiveSSL CA 2 signed by AddTrust External CA Root > AddTrust External CA Root signed by UTN - DATACorp SGC > > Cert2 signed by EssentialSSL CA > EssentialSSL CA signed by COMODO Certification > Authority COMODO Certification Authority signed by UTN - > DATACorp SGC UTN - DATACorp SGC signed by AddTrust > External CA Root > > > And I don't see why it should be a problem when e.g. two authorities > sign each others certificates. So, even > > Cert1 <- A <- B > Cert2 <- B <- A > > shouldn't cause *any* problem. I see now what you're using it for. I still think this is wrong, but I also can understand you don't want to change it for compat reasons. > If this makes SSL of lighttpd break, it's a serious lighttpd-bug. If there would be an easy and good way of fixing it, I would have done it. Sadly openssl is a f*** piece of shit, and I decided that I wasted enough time with it. (I also disagree with the attribute "serious".) > (By the way: Why does lighttpd even detect such loops? The > lighttpd-config- file *exactly* defines ca-files for every > SNI-domain, which lighttpd should simply send to the client. I don't > see why lighttpd wants to be "smart" and analyzes these ca-files...) lighttpd doesn't give a shit about your ca-files. I just hands them over to openssl. Though with the new patch *all* your ca-files end up in the same SSL_CTX, which openssl cannot handle (although you can blame openssl for the stupid API itself, at this stage this can't be fixed; there is no way to decide which certificates to pick from the merged ca-lists). If you want to understand the inner workings of all this, read the code. If you want to live a happy life, don't. I still hold to the argument that CA loops are wrong. Cross-signing CA in *one* direction is ok, but both ways is just wrong. Pick one (or more) CAs to be at the top, and use cross-signed certs up to it. Perhaps someone comes up with a patch fixing your problem. Perhaps it even gets fixed upstream. But I'm done with openssl - sorry for this. regards, Stefan -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
