On Mon, Jun 15, 2015 at 11:10 AM, Jeff Trawick <traw...@gmail.com> wrote:
> On Mon, Jun 15, 2015 at 10:54 AM, William A Rowe Jr <wr...@rowe-clan.net> > wrote: > >> On Mon, Jun 15, 2015 at 8:12 AM, Eric Covener <cove...@gmail.com> wrote: >> >>> Anyone else inclined to just remove the message? It's a deprecation that >>> didn't happen on a release boundary. AFAICT there's no reason to change how >>> you run your server unless you use two different cert chains and then you'd >>> find the info in the manual. >>> >> >> +1, this is highly irregular. Our general statement is that config >> changes are not strictly necessary on subversion updates of httpd. >> (Securing your SSLCipherList notwithstanding.) >> >> Bill >> > > +1, but IMO the whole idea should be revisited. > > Storing intermediate certificates separately is a problem when you have > multiple certificates with different algorithms. (Which server cert(s) > do/does the intermediate cert file go with?) > > For cases where there's no ambiguity, we have a trade-off between > > 1) being able to get rid of the directive since the intermediate certs > don't necessarily need to be stored separately > 2) a future migration headache, if not nightmare, for sites with many > vhosts where different users manage the certs > > We need to favor #2. > > For cases where there is an ambiguity, we should deprecate being able to > configure that, and visibly warn that there's a likely problem ASAP. > well, "a likely problem" can't be right, unless they just configured it and it doesn't work correctly yet :) -- Born in Roswell... married an alien... http://emptyhammock.com/