[ 
https://issues.apache.org/jira/browse/TS-3027?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14107398#comment-14107398
 ] 

ASF subversion and git services commented on TS-3027:
-----------------------------------------------------

Commit 5b1b1e06755029e0bbb41a1000124dd356d14bde in trafficserver's branch 
refs/heads/master from [~reveller]
[ https://git-wip-us.apache.org/repos/asf?p=trafficserver.git;h=5b1b1e0 ]

TS-3027: add hashed intermediate certificate support

if ssl_ca_name= is configured in ssl_multicert.config
  use that to build the cert chain
else if proxy.config.ssl.CA.cert.filename is configured (along with 
proxy.config.ssl.CA.cert.path)
  use that file to build the chain
else if proxy.config.ssl.CA.cert.path is configured (and 
proxy.config.ssl.CA.cert.filename is NULL)
  use the hashed symlinks in that directory to build the chain
else
  error out because we don't have the right configuration to build the chain


> Hashed SSL Intermediate Server Certs not recognized
> ---------------------------------------------------
>
>                 Key: TS-3027
>                 URL: https://issues.apache.org/jira/browse/TS-3027
>             Project: Traffic Server
>          Issue Type: Bug
>          Components: SSL
>            Reporter: Steven Feltner
>            Assignee: James Peach
>             Fix For: 5.1.0
>
>         Attachments: HashedSSL.patch
>
>
> Tested on: 
> CentOS 6.5 x86_64
> trafficserver-5.0.1
> Pertinent Config Values:
> CONFIG proxy.config.ssl.CA.cert.filename STRING NULL
> #CONFIG proxy.config.ssl.CA.cert.filename STRING combined_ca_bundle.crt
> CONFIG proxy.config.ssl.CA.cert.path STRING /var/linhosting/users/local
> (with and without CA.cert.filename configured)
> CONFIG proxy.config.ssl.client.certification_level INT 0
> CONFIG proxy.config.ssl.client.verify.server INT 0
> c_rehash (from OpenSSL) called from command line to create hash symlinks
> Currently, SSL_CTX_load_verify_locations is only called in two cases:
> if (params->clientCertLevel != 0) {
> and
> if (params->clientVerify) {
> Attached patch will create a precedence such that:
> if ssl_ca_name= is configured in ssl_multicert.config
>   use that to build the cert chain
> else if proxy.config.ssl.CA.cert.filename is configured (along with 
> proxy.config.ssl.CA.cert.path)
>   use that file to build the chain
> else if proxy.config.ssl.CA.cert.path is configured (and 
> proxy.config.ssl.CA.cert.filename is NULL)
>   use the hashed symlinks in that directory to build the chain
> else
>   error out because we don't have the right configuration to build the chain



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to