httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] Further refinements for SNI
Date Tue, 22 Apr 2008 18:41:44 GMT
On Tue, Apr 22, 2008 at 06:27:26PM +0200, Dirk-Willem van Gulik wrote:
>
> On Apr 22, 2008, at 5:53 PM, Joe Orton wrote:
>> On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote:
>>> While I was testing revocation checking for client certs in an SNI
>>> configuration (Dirk, many thanks for make_sni.sh, btw!), I came across a
>>> flaw in the current implementation when CRL information - i.e.
>>> SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis
>>> (don't know how much sense it makes to have non-global CRLs, but 
>>> anyway...).
>>
>> Someone bugged me about the SNI support so I finally go round to chasing
>> this up.
>>
>> I hacked up a quick test based on Dirk's make_sni.sh; this adds
>> "SSLVerifyClient" & SSLCACertificateFile to the second and third named
>> vhosts.
>>
>> And this confirms my original suspicions: I can access those vhosts
>> without having to present a certificate, i.e. the configured access
>> control restrictions can be bypassed.  If I move the SSLVerifyClient/etc
>> to the first vhost, it works as expected.
>
> Is this fixed by Kasper Brand his patch ? (See his msg from 13/2) ?

That is the patch committed as r627699, right?  In which case, no, I'm 
seeing this behaviour with the current trunk.

joe

Mime
View raw message