httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 49037] SSLVerifyClient require_no_ca
Date Wed, 14 Apr 2010 15:47:38 GMT

--- Comment #4 from Paul Donohue <> 2010-04-14 11:47:36 EDT
As I mentioned on bug #47492, I don't think this patch is necessary, as
'optional_no_ca' always asks for a client certificate too.  The only difference
between this required_no_ca and the existing optional_no_ca is that
required_no_ca will automatically disconnect the client if a certificate is not
provided, while optional_no_ca will accept the connection if a certificate is
not provided, and the application must disconnect the client itself if a
certificate is needed (but this should be trivial if you are already doing your
own validation).

Regardless, I've attached a separate patch to bug #45922 which includes updated
documentation for the SSLVerifyClient directive that should help clear up some
of the confusion.  (I've run into a number of people who believe that
'optional' and require' cause Apache to ask for the cert differently, when in
fact the only difference is that 'require' will automatically give up and
disconnect if it doesn't get a certificate back after it asks for one).

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message