On Wed, Sep 17, 2008 at 05:06:55PM -0700, Wan-Teh Chang wrote: > On Wed, Sep 17, 2008 at 4:52 PM, Eddy Nigg <[EMAIL PROTECTED]> wrote: > > > > I've been banging my head against a wall here because of this FUD and > > about misinformation which is absolutely incorrect. Sad, because there > > are many FF users running into it. And it doesn't help to ignore the > > fact that web site admins don't install their certs correctly - it works > > in IE and that's it. > > It would be nice to contribute a patch for Apache/mod_ssl to validate > its own certificate chain at startup.
[catching up on some old e-mail!] This would be quite simple to do, but mod_ssl doesn't necessarily have access to a set of trusted CA certs against which to validate a server cert, so it couldn't be universally applied. It might be possible for mod_ssl to determine whether OpenSSL has in fact been configured with a set of default CAs (many Linux distributions do set this up), and perform validation only in that case. Regards, Joe _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
