httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 45922] Expand the conditions under which "SSLVerifyClient optional_no_ca" works
Date Wed, 14 Apr 2010 15:25:30 GMT

--- Comment #2 from Paul Donohue <> 2010-04-14 11:25:28 EDT
I concur.  I have an application that does it's own independent validation and
trust checking of the client's certificate, and there are cases where Apache's
validation fails and disconnects the client even though I actually want it to
ignore the error and let my application deal with it.  I still believe the
optional_no_ca option is valuable (I think the intent there is to accept valid
but untrusted certificates, which is different from accepting invalid
certificates), so this should probably be implemented as a new option.

I'm attaching two patches (one that applies against 2.2.x and one that applies
against trunk) to address this.  These patches add a new SSLVerifyClient option
('optional_no_verify') which will accept the certificate regardless of the
validation result.  These patches include updated documentation which better
describes the various SSLVerifyClient options and also corrects the ambiguities
in the SSLProxyVerify documentation (which looks like it was copied and pasted
from the SSLVerifyClient documentation).  These patches also correct the
SSL_CLIENT_VERIFY variable so that it actually contains GENEROUS when
verification fails but is accepted anyway (as per the existing documentation,
see bug #45054), and so that it contains the verification error message if
verification failed but was accepted anyway.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message