Yep.. The older logic was initializing the bSkipFirst = FALSE. Although I haven't tested the fix, the logic seems to be broken b/w r1.69 and r1.70 (unless it was done deliberately)
$ cvs log ssl_engine_init.c ... revision 1.70 date: 2002/03/28 01:07:20; author: dougm; state: Exp; lines: +52 -40 break out certificate chain initialization into ssl_init_cert_chain function ... -Madhu >-----Original Message----- >From: Tadasuke SUDO [mailto:[EMAIL PROTECTED]] >Sent: Tuesday, January 07, 2003 2:17 AM >To: [EMAIL PROTECTED] >Subject: mod_ssl(httpd-2.0.43) always skips a leading certificate of >SSLCertificateChainFile > > >Hello, > > >I encountered a problem that mod_ssl(httpd-2.0.43) always skips >a leading certficate of SSLCertificateChainFile. > >So, I checked the source code of httpd-2.0.43, and I found the related >codes in "ssl_engine_init.c". In a function >"ssl_init_ctx_cert_chain()", a function >"SSL_CTX_use_certificate_chain()" is invoked with some arguments - the >third argument is a local boolean variable "skip_first". If >skip_first is TRUE, SSL_CTX_use_certificate_chain() skips a leading >certificate of SSLCertificateChainFile. Because >ssl_init_ctx_cert_chain() initializes skip_first to TRUE and doesn't >make it FALSE, skip_first is always TRUE. Therefore, a leading >certificate of SSLCertficateChainFile is always skipped. >I think skip_first should be initialized to FALSE. > >(Since mod_ssl-2.8.12-1.3.27 works fine, > I checked its source code. There are similar codes, and > skip_first is initialized to FALSE.) > >---- >Tadasuke SUDO >
