httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: svn commit: r1734561 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h
Date Tue, 15 Mar 2016 17:11:29 GMT
On Fri, Mar 11, 2016 at 2:51 PM,  <ylavic@apache.org> wrote:
> Author: ylavic
> Date: Fri Mar 11 13:51:17 2016
> New Revision: 1734561
>
> URL: http://svn.apache.org/viewvc?rev=1734561&view=rev
> Log:
> mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive
> to opt-in previous behaviour (2.2) with CRLs verification when checking
> certificate(s) with no corresponding CRL.

I wonder if this commit is not a bit overkill, and if instead of
adding new options/flags to "SSLCARevocationCheck chain|leaf
option(s)" with this only "no_crl_for_cert_ok" flag for now (will
there ever be others?), I'd rather not simply use a new token like
"chain-allow-miss"...

Anyway I have to fix ssl_callback_SSLVerify() (which uses
sc->server->crl_check_flags instead of mctx->crl_check_flags, and
hence does not work in the proxy case), so I could be easily convinced
to simplify the whole :)

Thoughts?

Mime
View raw message