[Cc to tbnl-devel which seems to work again. Please continue the discussion there.]
On Mon, 5 Nov 2007 11:30:53 +0200, "Juhani Ränkimies" juhani@juranki.com wrote:
I'm sorry for mailing you directly. I tried to join cl-plus-ssl-devel and tbln-devel mailing lists, but for some reason the confirmation emails never reached my mailbox.
There was a problem with Mailman on common-lisp.net which seems to be fixed now.
I wanted to use a chained certificate without Apache or anything else in front of hunchentoot and came up with a hack that enabled it.
My notes on the hack can be found at https://www.juranki.net/ht/hunchentoot-chained-certificate.html (if you're using IE, you're going to get a security alert because the CA I'm experimenting with is not trusted by IE)
I would like this capability to be added to hunchentoot/cl+ssl, but before doing more work I'd like to hear your comments.
Do you see the solution as a valid one? If so, how to proceed? If not, what's the better way to do it?
I only looked at it briefly, but at first glance it seems to be OK. However, for something to be accepted as a patch to Hunchentoot see the notes here:
Thanks, Edi.
There was a problem with Mailman on common-lisp.net which seems to be fixed now.
Yes, I'm a member now. Thanks.
I wanted to use a chained certificate without Apache or anything else in front of hunchentoot and came up with a hack that enabled it.
My notes on the hack can be found at https://www.juranki.net/ht/hunchentoot-chained-certificate.html (if you're using IE, you're going to get a security alert because the CA I'm experimenting with is not trusted by IE)
I would like this capability to be added to hunchentoot/cl+ssl, but before doing more work I'd like to hear your comments.
Do you see the solution as a valid one? If so, how to proceed? If not, what's the better way to do it?
I only looked at it briefly, but at first glance it seems to be OK. However, for something to be accepted as a patch to Hunchentoot see the notes here:
I further examined the behaviour of the openssl functions and found that its possible to solve the problem without modifying hunchentoot, by first loading a ca-bundle, containing ca and intermediate certificates, to global context and then using the existing hunchentoot api to specify the private key and server certificate.
A patch to cl+ssl and some notes can be found at https://www.juranki.net/ht/hunchentoot-chained-certificate-v3.html
br, -juhani
On Thu, 8 Nov 2007 18:49:24 +0200, "Juhani Ränkimies" juhani@juranki.com wrote:
I further examined the behaviour of the openssl functions and found that its possible to solve the problem without modifying hunchentoot, by first loading a ca-bundle, containing ca and intermediate certificates, to global context and then using the existing hunchentoot api to specify the private key and server certificate.
OK, that's even better... :)
Thanks, Edi.
-
Edi Weitz -
Juhani Ränkimies