Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 02/02/2014 13:45, Kaspar Brand wrote: > On 01.02.2014 14:37, Dr Stephen Henson wrote: >> I'm wondering how that could be avoided. Would a way to enumerate all >> certificates in an SSL_CTX structure in OpenSSL help? Something like >> SSL_CTX_get0_first_certificate() and SSL_CTX_get0_next_certifi

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote: > On 02/02/2014 13:45, Kaspar Brand wrote: > > On 01.02.2014 14:37, Dr Stephen Henson wrote: > >> I'm wondering how that could be avoided. Would a way to enumerate all > >> certificates in an SSL_CTX structur

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 18/02/2014 20:06, Jeff Trawick wrote: > On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson > > wrote: > > On 02/02/2014 13:45, Kaspar Brand wrote: > > On 01.02.2014 14:37, Dr Stephen Henson wrote: > >> I'm wondering how that could be avoided. W

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On Tue, Feb 18, 2014 at 5:00 PM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote: > On 18/02/2014 20:06, Jeff Trawick wrote: > > On Mon, Feb 3, 2014 at 6:21 AM, Dr Stephen Henson < > shen...@opensslfoundation.com > > > wrote: > > > > On 02/02/2014

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19/02/2014 18:37, Jeff Trawick wrote: > > > I think this is the trick... > > +rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); > +while (rc) { > +x = SSL_CTX_get0_certificate(ctx); > +if (x) { > +chain = NULL; > +SSL_CTX_get0_chain_certs(

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson < shen...@opensslfoundation.com> wrote: > On 19/02/2014 18:37, Jeff Trawick wrote: > > > > > > I think this is the trick... > > > > +rc = SSL_CTX_set_current_cert(ctx, SSL_CERT_SET_FIRST); > > +while (rc) { > > +x = SSL_CTX_get0_ce

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19/02/2014 20:17, Jeff Trawick wrote: > On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson > mailto:shen...@opensslfoundation.com>> wrote: > > On 19/02/2014 18:37, Jeff Trawick wrote: > > > > > > I think this is the trick... > > > > +rc = SSL_CTX_set_current_cert(ctx

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19/02/2014 20:17, Jeff Trawick wrote: > On Wed, Feb 19, 2014 at 2:23 PM, Dr Stephen Henson > mailto:shen...@opensslfoundation.com>> wrote: > > That works for two cases above. If however the on the fly chain building > is > performed it will fail. > > > Perhaps this is naive, but it m

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 19.02.2014 20:23, Dr Stephen Henson wrote: > However for that to work it needs application support either explicitly by > using > SSL_CTX_add0_chain_cert or via the use of SSL_CTX_use_cetificate_chain_file > which uses this transparently in OpenSSL 1.0.2. I just checked and httpd > currently d

RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

> Date: Thu, 20 Feb 2014 07:35:01 +0100 > That's part of the mod_ssl backport proposal currently in 2.4.x/STATUS. > (A previous version had a vote from jorton, but I'm not sure if he's > willing to refresh that... perhaps people feel uneasy with getting this > into 2.4.8? A third vote would be need

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 20.02.2014 21:37, Falco Schwarz wrote: > As I read through the changed code I found a smaller issue with the > deprecation warning of SSLCertificateChainFile: > > + ap_log_error(APLOG_MARK, APLOG_WARNING|APLOG_STARTUP, 0, cmd->server, > + APLOGNO(02559) > + "The SSLCertificateChainFile directi

RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

Perhaps I am missing something here, but if it is printed to stderr I should see it in the console when starting, right? Because I am unable to see it anywhere. Even when reloading or restarting it is not written to the error log. It does not show up with -t either. Any clues? > Date: Sat, 22 F

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 22.02.2014 11:06, Falco Schwarz wrote: > Perhaps I am missing something here, but if it is printed to stderr I should > see it in the console when starting, right? Because I am unable to see it > anywhere. > > Even when reloading or restarting it is not written to the error log. > It does not

RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

> Date: Sat, 22 Feb 2014 11:22:14 +0100 > Does your current config still include an SSLCertificateChainFile directive? > > Kaspar Yes, for testing I am currently using these directives (without comment): SSLCertificateFile      conf/ssl/foo.bar.cer    # leaf only SSLCertificateKeyFile   conf/ssl/

Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

On 22.02.2014 11:27, Falco Schwarz wrote: > Yes, for testing I am currently using these directives (without comment): > > SSLCertificateFile conf/ssl/foo.bar.cer# leaf only > SSLCertificateKeyFile conf/ssl/foo.bar.key# key only > SSLCertificateChainFile conf/ssl/foo.bar.ca # cha

RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

> Date: Sat, 22 Feb 2014 15:16:27 +0100 > The only explanation I can imagine then is that your mod_ssl.so / httpd > binary does not include the complete mod_ssl-2.4.x-certkeyfile-v3.diff > patch. Does "strings mod_ssl.so | grep AH02559" show any output? > > Kaspar   Unfortunately yes. I checked out

RE: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS)

Kaspar, I switched back to your version and realized, that the directive SSLCertificateChainFile was always used in a VirtualHost. If the directive is in server scope, the warning is written correctly.

LogLevel inheritance/merging for VirtualHost in 2.4.x (Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS))

On 22.02.2014 19:17, Falco Schwarz wrote: > Kaspar, I switched back to your version and realized, that the directive > SSLCertificateChainFile was always used in a VirtualHost. > > If the directive is in server scope, the warning is written correctly. >

Re: LogLevel inheritance/merging for VirtualHost in 2.4.x (Re: SSL_CTX_get_{first,next}_certificate (Re: svn commit: r1562500 - /httpd/httpd/branches/2.4.x/STATUS))

On 23.02.2014 09:03, Kaspar Brand wrote: > On 22.02.2014 19:17, Falco Schwarz wrote: >> Kaspar, I switched back to your version and realized, that the directive >> SSLCertificateChainFile was always used in a VirtualHost. >> >> If the directive is in server scope, the warning is written correctly.