httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52874] Support Use TrustedFirst checking when verifying client certificate chain
Date Sat, 10 Mar 2012 06:33:48 GMT

Kaspar Brand <> changed:

           What    |Removed                     |Added
           Platform|PC                          |All
            Version|2.2.3                       |2.5-HEAD
         OS/Version|Linux                       |All

--- Comment #2 from Kaspar Brand <> 2012-03-10 06:33:48 UTC ---
(In reply to comment #1)
> Created attachment 28448 [details]
> Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl

This patch only includes the changes to OpenSSL, but none for mod_ssl.

> Adds support for new Server-wide directive, SSLTrustedFirst, which enables the
> ctx->param->flags for openssl's TrustedFirst directive when doing client
> verification.

If we do this, we'll want to make it a per-vhost directive (same as
SSLCACertificateFile and friends).

It's too early to consider adding support for this to mod_ssl, however (even
for trunk). The X509_V_FLAG_TRUSTED_FIRST verification flag was added to
OpenSSL in and will first appear in
1.1.0, which won't be released that soon, most likely.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message