Yup.. you're right. That's the reason why the client certificate parameters
are maintained in the connection context - so that when a access check is
being performed, a renegotiation is not triggered (again)..
Another TODO item in the modules/ssl/README file can be removed :
o Remember the Peer Certificate parameters.
Thanks
-Madhu
-----Original Message-----
From: Doug MacEachern [mailto:dougm@covalent.net]
Sent: Wednesday, August 22, 2001 12:54 PM
To: 'dev@httpd.apache.org'
Subject: RE: [PATCH] mod_SSL with Client Authentication
On Wed, 22 Aug 2001, MATHIHALLI,MADHUSUDAN (HP-Cupertino,ex1) wrote:
> Ideally, we should be verifying for a failed Client authentication soon
> after a SSL_accept, and a connection closed accordingly.
ok, thats in, thanks.
> The stuff that's being done in ssl_hook_Access is mostly to ensure that
the
> certificate has proper permissions to access that location. It's mostly
> concerned with the "SSLRequire" parameter.
also for per-location client auth (SSLVerify*). it would also handle
per-server SSLVerify too, but triggers renegotiation, which it shouldn't
now with your patch in.
|