Hi mod_ssl devs, I have a small patch for mod_ssl that uses new OpenSSL (>=1.0.2) methods when available to automatically rebuild misconfigured certificate chains.
Github pull request: https://github.com/apache/httpd/pull/7 Some of the common server chain misconfigurations are a) including the self-signed root certificate in the chain and b) missing an intermediate certificate in the chain. a) is bad because it bloats the handshake and b) is bad because the client can't always validate the chain. The patch fixes a) by sanity-checking the chain and chopping self-signed roots. I believe it's harmless to turn on by default as the rebuild step will either yield a valid chain or preserve the original configuration. I've no good idea how to reliably detect and fix missing intermediates but would be happy to try out any good suggestions. Cheers, Emilia
