httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47492] SSLVerifyClient require_no_ca
Date Tue, 13 Apr 2010 20:52:46 GMT

Paul Donohue <> changed:

           What    |Removed                     |Added
                 CC|                            |

--- Comment #2 from Paul Donohue <> 2010-04-13 16:52:43 EDT
I don't understand the difference between this and optional_no_ca.

I'm pretty sure the Apache documentation is wrong about "optional" not working
with all browsers. The SSL handshake is identical for both "optional" and
"required" (see section 7.4.4 of RFC2246 or the 'REQUEST-CERTIFICATE' section
of The only
difference is that "required" will immediately send a "handshake failure" alert
and close the connection if a certificate is not received from the client,
while "optional" will ignore the missing certificate and continue.

I'm guessing the Apache documentation may be referring to older browsers
automatically giving up and closing the connection themselves if a suitable
cert is not available, essentially making the "optional" option the same as the
"required" option for these browsers.

So I think you could accomplish the same thing as this patch simply by using
optional_no_ca, then dropping the connection in your application if SSL_VERIFY
is set to NONE.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message