Steven Feltner created TS-3027: ---------------------------------- Summary: Hashed SSL Intermediate Server Certs not recognized Key: TS-3027 URL: https://issues.apache.org/jira/browse/TS-3027 Project: Traffic Server Issue Type: Bug Components: SSL Reporter: Steven Feltner
Tested on: CentOS 6.5 x86_64 trafficserver-5.0.1 Pertinent Config Values: CONFIG proxy.config.ssl.CA.cert.filename STRING NULL #CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local (with and without CA.cert.filename configured) CONFIG proxy.config.ssl.client.certification_level INT 0 CONFIG proxy.config.ssl.client.verify.server INT 0 c_rehash (from OpenSSL) called from command line to create hash symlinks Currently, SSL_CTX_load_verify_locations is only called in two cases: if (params->clientCertLevel != 0) { and if (params->clientVerify) { Attached patch will create a precedence such that: if ssl_ca_name= is configured in ssl_multicert.config use that to build the cert chain else if proxy.config.ssl.CA.cert.filename is configured (along with proxy.config.ssl.CA.cert.path) use that file to build the chain else if proxy.config.ssl.CA.cert.path is configured (and proxy.config.ssl.CA.cert.filename is NULL) use the hashed symlinks in that directory to build the chain else error out because we don't have the right configuration to build the chain -- This message was sent by Atlassian JIRA (v6.2#6252)