Return-Path: Delivered-To: apmail-httpd-cvs-archive@www.apache.org Received: (qmail 24844 invoked from network); 1 Sep 2005 14:49:16 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 1 Sep 2005 14:49:16 -0000 Received: (qmail 89860 invoked by uid 500); 1 Sep 2005 14:49:15 -0000 Delivered-To: apmail-httpd-cvs-archive@httpd.apache.org Received: (qmail 89827 invoked by uid 500); 1 Sep 2005 14:49:15 -0000 Mailing-List: contact cvs-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list cvs@httpd.apache.org Received: (qmail 89813 invoked by uid 99); 1 Sep 2005 14:49:15 -0000 X-ASF-Spam-Status: No, hits=-9.8 required=10.0 tests=ALL_TRUSTED,NO_REAL_NAME X-Spam-Check-By: apache.org Received: from [209.237.227.194] (HELO minotaur.apache.org) (209.237.227.194) by apache.org (qpsmtpd/0.29) with SMTP; Thu, 01 Sep 2005 07:49:15 -0700 Received: (qmail 24817 invoked by uid 65534); 1 Sep 2005 14:49:15 -0000 Message-ID: <20050901144915.24816.qmail@minotaur.apache.org> Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r265741 - /httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Date: Thu, 01 Sep 2005 14:49:14 -0000 To: cvs@httpd.apache.org From: jorton@apache.org X-Mailer: svnmailer-1.0.5 X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N Author: jorton Date: Thu Sep 1 07:49:12 2005 New Revision: 265741 URL: http://svn.apache.org/viewcvs?rev=265741&view=rev Log: Introduce SSLProxyVerify better. Add a warning note on exactly what verification is done by the proxy in the proxy-to-SSL-server case. Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml URL: http://svn.apache.org/viewcvs/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=265741&r1=265740&r2=265741&view=diff ============================================================================== --- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original) +++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Thu Sep 1 07:49:12 2005 @@ -1390,14 +1390,29 @@ AuthConfig -

-This directive sets the Certificate verification level for the remote server -Authentication. Notice that this directive can be used both in per-server and -per-directory context. In per-server context it applies to the remote server -authentication process used in the standard SSL handshake when a connection is -established. In per-directory context it forces a SSL renegotation with the -reconfigured remote server verification level after the HTTP request was read but -before the HTTP response is sent.

+ +

When a proxy is configured to forward requests to a remote SSL +server, this directive can be used to configure certificate +verification of the remote server. Notice that this directive can be +used both in per-server and per-directory context. In per-server +context it applies to the remote server authentication process used in +the standard SSL handshake when a connection is established by the +proxy. In per-directory context it forces a SSL renegotation with the +reconfigured remote server verification level after the HTTP request +was read but before the HTTP response is sent.

+ + +

Note that even when certificate verification is enabled, +mod_ssl does not check whether the +commonName (hostname) attribute of the server certificate +matches the hostname used to connect to the server. In other words, +the proxy does not guarantee that the SSL connection to the backend +server is "secure" beyond the fact that the certificate is signed by +one of the CAs configured using the +SSLProxyCACertificatePath and/or +SSLProxyCACertificateFile directives.

+ +

The following levels are available for level: