httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52874] Support Use TrustedFirst checking when verifying client certificate chain
Date Sat, 10 Mar 2012 06:33:48 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52874

Kaspar Brand <asfbugz@velox.ch> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Platform|PC                          |All
            Version|2.2.3                       |2.5-HEAD
         OS/Version|Linux                       |All

--- Comment #2 from Kaspar Brand <asfbugz@velox.ch> 2012-03-10 06:33:48 UTC ---
(In reply to comment #1)
> Created attachment 28448 [details]
> Patch to incorporate SSLTrustedFirst (On|Off) and the X509 Flag in openssl

This patch only includes the changes to OpenSSL, but none for mod_ssl.

> Adds support for new Server-wide directive, SSLTrustedFirst, which enables the
> ctx->param->flags for openssl's TrustedFirst directive when doing client
> verification.

If we do this, we'll want to make it a per-vhost directive (same as
SSLCACertificateFile and friends).

It's too early to consider adding support for this to mod_ssl, however (even
for trunk). The X509_V_FLAG_TRUSTED_FIRST verification flag was added to
OpenSSL in http://cvs.openssl.org/chngview?cn=19324 and will first appear in
1.1.0, which won't be released that soon, most likely.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message