On Tue, Sep 22, 1998, Lai Yiu Fai wrote:
> Have anyone defined both SSLCACertificatePath and SSLCACertificateFile
> in config file? I enabled the 'ca-bundle.crt' via SSLCACertificateFile for
> well-known CA and others self-signed CAs in SSLCACertificatePath. And I
> found that the certs in directory SSLCACertificatePath are totally ignored.
> After then, I comment out SSLCACertificateFile and everything works like a
> charm. Could SSLCACertificatePath and SSLCACertificateFile use altogether?
> Or is it a bug in mod-sw-ssl, or SSLeay instead?
Hmmmm... just yesterday evening a friend sent me some SSLeay debugging stuff
which shows that SSLeay _always_ checks the SSLCACertificatePath dir first and
only then the SSLCACertificateFile stuff. So it's interesting that it's
ignoring your dir when SSLCACertificateFile is present. Actually when this is
a bug it doesn't look like it's inside mod_ssl. Because both things (the dir
and the file) are configured at the same time with the SSLeay function
(SSL_CTX_load_verify_locations, see around line 710 in mod_ssl.c) and mod_ssl
itself doesn't do anything else with them.
So, I've currently no clue why the path stuff is ignored _only_ when the file
is present. It can be "ignored" yes, but then with and without
SSLCACertificateFile: when your hash symlinks are incorrect (as it was the
case for my friend yesterday). Has anybody else a hint?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]