[hunchentoot-devel] Re: Chained SSL certificates with hunchentoot/cl+ssl
Juhani Ränkimies
juhani at juranki.com
Thu Nov 8 16:49:24 UTC 2007
>
> There was a problem with Mailman on common-lisp.net which seems to be
> fixed now.
Yes, I'm a member now. Thanks.
>
> > I wanted to use a chained certificate without Apache or anything
> > else in front of hunchentoot and came up with a hack that enabled
> > it.
> >
> > My notes on the hack can be found at
> > https://www.juranki.net/ht/hunchentoot-chained-certificate.html (if
> > you're using IE, you're going to get a security alert because the CA
> > I'm experimenting with is not trusted by IE)
> >
> > I would like this capability to be added to hunchentoot/cl+ssl, but
> > before doing more work I'd like to hear your comments.
> >
> > Do you see the solution as a valid one?
> > If so, how to proceed?
> > If not, what's the better way to do it?
>
> I only looked at it briefly, but at first glance it seems to be OK.
> However, for something to be accepted as a patch to Hunchentoot see
> the notes here:
>
> http://weitz.de/patches.html
I further examined the behaviour of the openssl functions and
found that its possible to solve the problem without modifying
hunchentoot, by first loading a ca-bundle, containing ca and
intermediate certificates, to global context and then using the
existing hunchentoot api to specify the private key and server
certificate.
A patch to cl+ssl and some notes can be found at
https://www.juranki.net/ht/hunchentoot-chained-certificate-v3.html
br,
-juhani
More information about the Tbnl-devel
mailing list