httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: Behavior of Host: vs. SNI Hostname in proxy CONNECT requests
Date Tue, 24 Dec 2013 13:09:14 GMT
On Tue, Dec 24, 2013 at 1:50 PM, Dr Stephen Henson <
shenson@opensslfoundation.com> wrote:

> On 24/12/2013 11:58, Yann Ylavic wrote:
> >
> > According to
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3C48592955.2090303@velox.ch%3E
> ,
> > the (great) analyse Kaspar made in 2008, the only parameters which
> > won't be renegotiated are SSLCACertificateFile/Path and
> > SSLCADNRequestFile/Path.
> > This is because of the lacking OpenSSL's SSL_set_cert_store()
> > function, which always seem to be the case with the latest versions
> > (AFAICT).
>
> OpenSSL 1.0.2 and later will address this. It supports separate
> verification and
> chain building stores which can be set at the SSL_CTX or SSL level. See:
>
> http://www.openssl.org/docs/ssl/SSL_CTX_set1_verify_cert_store.html
>

Thanks for the pointer.

Regards,
Yann.

Mime
View raw message