diff options
| author | Joe Orton <jorton@apache.org> | 2020-12-17 13:44:41 +0100 |
|---|---|---|
| committer | Joe Orton <jorton@apache.org> | 2020-12-17 13:44:41 +0100 |
| commit | 4c13b969cc13c84919cd01aa3315699b77fbdd65 (patch) | |
| tree | 73811d423f22a2a3b5e1d93623a8abdcf8881e37 /docs | |
| parent | * modules/ssl/ssl_private.h (modssl_pk_proxy_t): Update comment, (diff) | |
| download | apache2-4c13b969cc13c84919cd01aa3315699b77fbdd65.tar.xz apache2-4c13b969cc13c84919cd01aa3315699b77fbdd65.zip | |
Treat non-leaf certificates present in SSLProxyMachineCertificateFile
the same was as non-leaf certs are in SSLCertificateFile - use them to
build the trusted cert chain for the end-entity (client) cert.
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs):
For any non-leaf certificate present in the configured, trust as
if used in SSLProxyMachineCertificateChainFile.
Github: closes #151
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1884552 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/log-message-tags/next-number | 2 | ||||
| -rw-r--r-- | docs/manual/mod/mod_ssl.xml | 9 |
2 files changed, 7 insertions, 4 deletions
diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index 60f8c40814..685949ac36 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -10261 +10262 diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 6cee399b4f..8168c1738e 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -1872,7 +1872,8 @@ SSLProxyMachineCertificatePath "/usr/local/apache2/conf/proxy.crt/" <syntax>SSLProxyMachineCertificateFile <em>filename</em></syntax> <contextlist><context>server config</context> <context>virtual host</context> <context>proxy section</context></contextlist> -<compatibility>The proxy section context is allowed in httpd 2.4.30 and later</compatibility> +<compatibility>The proxy section context is allowed in httpd 2.4.30 and later<br/> +Inclusion of non-leaf (CA) certificates is permitted only in httpd 2.5.1 and later.</compatibility> <usage> <p> @@ -1884,7 +1885,9 @@ This referenced file is simply the concatenation of the various PEM-encoded certificate files. Use this directive alternatively or additionally to <code>SSLProxyMachineCertificatePath</code>. The referenced file can contain any number of pairs of client certificate and associated private key. Each pair can be specified in -either (certificate, key) or (key, certificate) order.</p> +either (certificate, key) or (key, certificate) order. Non-leaf (CA) certificates can +also be included in the file, and are treated as if configured with <directive +module="mod_ssl">SSLProxyMachineCertificateChainFile</directive>.</p> <p>When challenged to provide a client certificate by a remote server, the server should provide a list of <em>acceptable certificate @@ -1895,7 +1898,7 @@ client cert/key. If a list of CA names <em>is</em> provided, to find a configured client cert which was issued either directly by that CA, or indirectly via any number of intermediary CA certificates. The chain of intermediate CA certificates can be built from those -configured with <directive +included in the file, or configured with <directive module="mod_ssl">SSLProxyMachineCertificateChainFile</directive>. The first configured matching certificate will then be supplied in response to the challenge.</p> |