Looking at the SSL 3.0 spec at http://wp.netscape.com/eng/ssl3/draft302.txt, there appears to be a size limit for the list of CA distinguished names ..
struct { CertificateType certificate_types<1..2^8-1>; DistinguishedName certificate_authorities<3..2^16-1>; } CertificateRequest; If I interpret the spec correctly, this means 3 - 65535 bytes of data available for the list of DNs (someone please correct me if I am wrong). Perhaps you are hitting this limit. Rich -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Keller Kind Sent: Thursday, May 17, 2007 10:30 AM To: modssl-users@modssl.org Subject: Re: Problems with CA-Certifcates 2. Yes i know, that i can have more than one certificate in a PEM-file. That is used for the SSLCACertificateFile Option. But this didnt solve the problem. There is no difference between having more than 250 single certificate files or one file with 250 certificates. In the SSL-Handshake the Server sends to the Client, which CAs he accepts. This Massage seems to be malformed when there are too many CAs. Any Ideas...? Fought, Richard schrieb: >1. I believe the server reads the CA cert into memory at startup for a >couple of reasons: to prevent unnecessary disk access, and probably as a >security measure as well. If your cert is password protected, you might >want an admin to type it in and startup is the perfect time to do it. > >2. Maybe it is a # of files limitation? If I'm not mistaken, you can >have more than one certificate in a PEM file. Maybe try to combine >them. > >Rich >______________________________________________________________________ >Apache Interface to OpenSSL (mod_ssl) www.modssl.org >User Support Mailing List modssl-users@modssl.org >Automated List Manager [EMAIL PROTECTED] > > > > _________________________________________________________________ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden! ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]