Hi I've got a minor problem report regarding the use of SSLCertificateChainFile and SSLCACertificateFile. If you define for a virtual Host both directives SSLCertificateChainFile and SSLCACertificateFile because you want to provide the full chain of your Server Certificate for the Handshake and want to restrict Issuers of Client Certificates and have a CA certificate which is present in both files, this certificate is sent TWICE during the SSL Handshake (as observed with openssl s_client and pointed out by a customer). I think this is a minor issue because - Few sites use Cleint Certificates - The problem can most of the times be avoided by carefully using the two directives. - Most browsers don't complain. I do however think it is still an issue because - Some clients do complain - Unnecessary data is transmitted during handshake In my opinion the server handshake should only use certificates from the file pointed at by the SSLCertificateChainFile, because this really is the directive which is responsible for the server chain. The SSLCACertificateFile should only be used for checking client certificates or the merged product from these two files should be cleared from duplicates before the certificates are transmitted to the client. What do others think about this? Bye Tim ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
