From: Joe Orton Date: Fri, 19 Mar 2021 16:12:29 +0000 (+0000) Subject: Merge r1880958 from trunk: X-Git-Tag: 2.4.47~57 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0d00b37e0dd0a6c211bdab32539b42b5ff630a01;p=thirdparty%2Fapache%2Fhttpd.git Merge r1880958 from trunk: Document limitations for private key format in SSLProxyMachineCertificateFile and SSLProxyMachineCertificatePath. PR 63935. Plus, further tweak text to explain failure mode specific to 2.4. Submitted by: rjung, jorton Reviewed by: jorton git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1887813 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index e7cb077644d..5b253b04bea 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -1903,10 +1903,35 @@ This directive sets the all-in-one file where you keep the certificates and keys used for authentication of the proxy server to remote servers.

-This referenced file is simply the concatenation of the various PEM-encoded -certificate files, in order of preference. Use this directive alternatively -or additionally to SSLProxyMachineCertificatePath. +This referenced file is simply the concatenation of the various +PEM-encoded certificate files. Use this directive alternatively or +additionally to SSLProxyMachineCertificatePath. The +referenced file can contain any number of pairs of client certificate +and associated private key. Each pair can be specified in either +(certificate, key) or (key, certificate) order. If the file includes +any non-leaf certificate, or any unmatched key and certificate pair, a +configuration error will be issued at startup.

+ +

When challenged to provide a client certificate by a remote server, +the server should provide a list of acceptable certificate +authority names in the challenge. If such a list is not +provided, mod_ssl will use the first configured +client cert/key. If a list of CA names is provided, +mod_ssl will iterate through that list, and attempt +to find a configured client cert which was issued either directly by +that CA, or indirectly via any number of intermediary CA certificates. +The chain of intermediate CA certificates can be built from those +configured with SSLProxyMachineCertificateChainFile. The +first configured matching certificate will then be supplied in +response to the challenge.

+ +

If the list of CA names is provided by the remote server, +and no matching client certificate can be found, no client +certificate will be provided by mod_ssl, which will +likely fail the SSL/TLS handshake (depending on the remote server +configuration).

+

Currently there is no support for encrypted private keys

@@ -1932,13 +1957,14 @@ must be converted, eg. using Compatibility:The proxy section context is allowed in httpd 2.4.30 and later

-This directive sets the directory where you keep the certificates and -keys used for authentication of the proxy server to remote servers. +This directive sets the directory where you keep the client +certificates and keys used for authentication of the proxy server to +remote servers. +

+

+mod_ssl will attempt to load every file inside the specified directory +as if it was configured individually with SSLProxyMachineCertificateFile.

-

The files in this directory must be PEM-encoded and are accessed through -hash filenames. Additionally, you must create symbolic links named -hash-value.N. And you should always make sure this -directory contains the appropriate symbolic links.

Currently there is no support for encrypted private keys

@@ -2853,7 +2879,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; } })(window, document); //-->