On Thu, 27 Jan 2000, Dr Stephen Henson wrote:
> Richard Levitte - VMS Whacker wrote:
> >
> > amoskoff> After reading the archive and modssl FAQ I have almost everything
>working.
> > amoskoff> But there is one question. I order to use the CApath in the function
> > amoskoff> ``SSL_CTX_load_verify_locations'' you have to generate a hash value and
> > amoskoff> do the appropriate symbolic link. What I don't understand is why this
>doesn't
> > amoskoff> work until I append a ``.0'' to the file? What is the significance of
>this?
> >
> > The file name has to be in the format {hash}.{s/n}, where {s/n} is the
> > certificate serial number. Most often, that is simply 0. I haven't
> > quite understood yet how it would ever get any other number there, at
> > least automagically...
> >
>
> Well its not the certificate serial number as in the serial number of
> the certificate :-)
>
> I think the idea is that the actual hash value is quite short so it is
> conceivable that two distinct certificates will have the same hash.
> There are 2^32 possible hash values but there is a reasonably chance of
> a collision with relatively small numbers of certificates. If I recall
> what I briefly read somewhere about the "birthday attack" you'd need
> 2^16 certificates to have a 50% probability of a collision... someone
> please correct me if I've got that wrong.
It's not what I understood of the process... For me, this hash is the hash
of the subject name of the CA, since we use that hash to perform chain
validation...
In my understanding, the serial number appended (.0, .1, ...) should be
used to store different generations of CA certificates. Look at the
VeriSign/RSA Secure Server CA, for example, there's 2 versions of the CA
certificate...
> The final number is, I guess, there as a way to represent several certs
> with the same hash value. Having said that it doesn't seem to be
> implemented properly.
>
> The whole hash thing is IMHO a bit of a hack anyway, it relies on
> symbolic links which wont work under e.g. Windows and it can only look
> up by a broken hash calculation on subject name. We should have
> something better that handles multiple lookups. E.g. an index file which
> will work on all platforms and GDBM on platforms that support it. Not in
> 0.9.5 though...
>
> Steve.
>
--
Erwann ABALEA
System and Development Engineer - Certplus SA
[EMAIL PROTECTED]
- RSA PGP Key ID: 0x2D0EABD5 -
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
