httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: SNI in 2.2.x (Re: Time for 2.2.10?)
Date Thu, 02 Apr 2009 05:14:54 GMT
Plüm, Rüdiger, VF-Group wrote:
> A question regarding your patch:
> 
> @@ -427,29 +435,26 @@ int ssl_hook_Access(request_rec *r)
>       * function and not by OpenSSL internally (and our function is aware of
>       * both the per-server and per-directory contexts). So we cannot ask
>       * OpenSSL about the currently verify depth. Instead we remember it in our
>       * ap_ctx attached to the SSL* of OpenSSL.  We've to force the
>       * renegotiation if the reconfigured/new verify depth is less than the
>       * currently active/remembered verify depth (because this means more
>       * restriction on the certificate chain).
>       */
> -    if ((sc->server->auth.verify_depth != UNSET) &&
> -        (dc->nVerifyDepth == UNSET)) {
> -        /* apply per-vhost setting, if per-directory config is not set */
> -        dc->nVerifyDepth = sc->server->auth.verify_depth;
> -    }
> 
> Why don't you stick with the old approach of updating dc->nVerifyDepth and using
> this later on consistently

Because it was called "ugly" by Joe (and not threadsafe, possibly[?]):

http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c20080604140111.GA12050@redhat.com%3e

> (the same happens with other fields in the same way later on)?

I don't think any of my changes to ssl_hook_Access adds an assignment
to any dc->something parameter (or it would be an oversight/bug if it did).

Kaspar




Mime
View raw message