Problems with CA-Certifcates

Hello,
i have got 2 problems with my Apache using mod_ssl and authentification
with client-certificates.

1. When the Apache is running and i copy a new pem-encoded
CA-Certificate in the specified directory (SSLCACertifcatePath) and
create the symbolic hash-link, no client is able to connect with the
website with his Client-Certificate issued by the copied CA until i
restart the Server. Is this a Bug? Or is there any way to actualise the
CA-Certificates without a restart?

2. The Number of CA-Certificates seems to be limited at ~250. When i use
too many CA-Certificates in the Directory (SSLCACertifcatePath) the
SSL-Message from the Server to the Client is malformed and no Client can
connect. Is this also a Bug?

Dont ask me, why i need more than 250 CA-Certificates. Its for a
Masterthesis.

____________________________________________________________ _____
Haben Spinnen Ohren? Finden Sie es heraus – mit dem MSN Suche Superquiz via
http://www.msn-superquiz.de Jetzt mitmachen und gewinnen!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Problems with CA-Certifcates

1. I believe the server reads the CA cert into memory at startup for a
couple of reasons: to prevent unnecessary disk access, and probably as a
security measure as well. If your cert is password protected, you might
want an admin to type it in and startup is the perfect time to do it.

2. Maybe it is a # of files limitation? If I'm not mistaken, you can
have more than one certificate in a PEM file. Maybe try to combine
them.

Rich
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Problems with CA-Certifcates

2. Yes i know, that i can have more than one certificate in a PEM-file.
That is used for the SSLCACertificateFile Option. But this didnt solve
the problem.
There is no difference between having more than 250 single certificate
files or one
file with 250 certificates.
In the SSL-Handshake the Server sends to the Client, which CAs he accepts.
This Massage seems to be malformed when there are too many CAs.
Any Ideas...?


Fought, Richard schrieb:
>1. I believe the server reads the CA cert into memory at startup for a
>couple of reasons: to prevent unnecessary disk access, and probably as a
>security measure as well. If your cert is password protected, you might
>want an admin to type it in and startup is the perfect time to do it.
>
>2. Maybe it is a # of files limitation? If I'm not mistaken, you can
>have more than one certificate in a PEM file. Maybe try to combine
>them.
>
>Rich
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>
>
>

____________________________________________________________ _____
Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit
Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu!
http://desktop.msn.de/ Jetzt gratis downloaden!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Problems with CA-Certifcates

Looking at the SSL 3.0 spec at
http://wp.netscape.com/eng/ssl3/draft302.txt, there appears to be a size
limit for the list of CA distinguished names ..

struct {
CertificateType certificate_types<1..2^8-1>;
DistinguishedName certificate_authorities<3..2^16-1>;
} CertificateRequest;

If I interpret the spec correctly, this means 3 - 65535 bytes of data
available for the list of DNs (someone please correct me if I am wrong).

Perhaps you are hitting this limit.

Rich


-----Original Message-----
From: owner-modssl-users@modssl.org
[mailto:owner-modssl-users@modssl.org] On Behalf Of Keller Kind
Sent: Thursday, May 17, 2007 10:30 AM
To: modssl-users@modssl.org
Subject: Re: Problems with CA-Certifcates

2. Yes i know, that i can have more than one certificate in a PEM-file.
That is used for the SSLCACertificateFile Option. But this didnt solve
the problem.
There is no difference between having more than 250 single certificate
files or one
file with 250 certificates.
In the SSL-Handshake the Server sends to the Client, which CAs he
accepts.
This Massage seems to be malformed when there are too many CAs.
Any Ideas...?


Fought, Richard schrieb:
>1. I believe the server reads the CA cert into memory at startup for a
>couple of reasons: to prevent unnecessary disk access, and probably as
a
>security measure as well. If your cert is password protected, you
might
>want an admin to type it in and startup is the perfect time to do it.
>
>2. Maybe it is a # of files limitation? If I'm not mistaken, you can
>have more than one certificate in a PEM file. Maybe try to combine
>them.
>
>Rich
>___________________________________________________________ ___________
>Apache Interface to OpenSSL (mod_ssl) www.modssl.org
>User Support Mailing List modssl-users@modssl.org
>Automated List Manager majordomo@modssl.org
>
>
>
>

____________________________________________________________ _____
Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit

Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu!=20
http://desktop.msn.de/ Jetzt gratis downloaden!

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org