httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dirk-Willem van Gulik <>
Subject Re: [PATCH] Further refinements for SNI
Date Thu, 14 Feb 2008 10:24:31 GMT

On Feb 13, 2008, at 10:00 AM, Kaspar Brand wrote:

> While I was testing revocation checking for client certs in an SNI
> configuration (Dirk, many thanks for, btw!), I came  
> across a
> flaw in the current implementation when CRL information - i.e.

Thank YOU (me feel silly now - as I spent a fair bit of time trying to  
understand why
one test case of mine was not failing -- but as I was blaming openssl  
- was looking
in the wrong place)

> SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis
> (don't know how much sense it makes to have non-global CRLs, but  
> anyway...).

It may make sense during a roll over ? Not sure ?

> The attached patch addresses this issue, and it also improves the
> logging behavior for an SNI enabled configuration (previously some of
> the messages would always go to the first vhost, or wouldn't appear at
> all, depending on the LogLevel of the first vhost).

Tested and applied as rev 627699.



View raw message