httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jor...@apache.org
Subject svn commit: r265741 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
Date Thu, 01 Sep 2005 14:49:14 GMT
Author: jorton
Date: Thu Sep  1 07:49:12 2005
New Revision: 265741

URL: http://svn.apache.org/viewcvs?rev=265741&view=rev
Log:
Introduce SSLProxyVerify better.  Add a warning note on exactly
what verification is done by the proxy in the proxy-to-SSL-server
case.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=265741&r1=265740&r2=265741&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Sep  1 07:49:12 2005
@@ -1390,14 +1390,29 @@
 <override>AuthConfig</override>
 
 <usage>
-<p>
-This directive sets the Certificate verification level for the remote server
-Authentication. Notice that this directive can be used both in per-server and
-per-directory context. In per-server context it applies to the remote server
-authentication process used in the standard SSL handshake when a connection is
-established. In per-directory context it forces a SSL renegotation with the
-reconfigured remote server verification level after the HTTP request was read but
-before the HTTP response is sent.</p>
+
+<p>When a proxy is configured to forward requests to a remote SSL
+server, this directive can be used to configure certificate
+verification of the remote server.  Notice that this directive can be
+used both in per-server and per-directory context. In per-server
+context it applies to the remote server authentication process used in
+the standard SSL handshake when a connection is established by the
+proxy. In per-directory context it forces a SSL renegotation with the
+reconfigured remote server verification level after the HTTP request
+was read but before the HTTP response is sent.</p>
+
+<note type="warning">
+<p>Note that even when certificate verification is enabled,
+<module>mod_ssl</module> does <strong>not</strong> check whether
the
+<code>commonName</code> (hostname) attribute of the server certificate
+matches the hostname used to connect to the server.  In other words,
+the proxy does not guarantee that the SSL connection to the backend
+server is "secure" beyond the fact that the certificate is signed by
+one of the CAs configured using the
+<directive>SSLProxyCACertificatePath</directive> and/or
+<directive>SSLProxyCACertificateFile</directive> directives.</p>
+</note>
+
 <p>
 The following levels are available for <em>level</em>:</p>
 <ul>



Mime
View raw message