Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id D98FC19971 for ; Tue, 15 Mar 2016 17:11:39 +0000 (UTC) Received: (qmail 64359 invoked by uid 500); 15 Mar 2016 17:11:39 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 64305 invoked by uid 500); 15 Mar 2016 17:11:39 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 64295 invoked by uid 99); 15 Mar 2016 17:11:39 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd2-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 15 Mar 2016 17:11:39 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd2-us-west.apache.org (ASF Mail Server at spamd2-us-west.apache.org) with ESMTP id D291C1A0361 for ; Tue, 15 Mar 2016 17:11:38 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd2-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: -0.802 X-Spam-Level: X-Spam-Status: No, score=-0.802 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd2-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx2-lw-eu.apache.org ([10.40.0.8]) by localhost (spamd2-us-west.apache.org [10.40.0.9]) (amavisd-new, port 10024) with ESMTP id E3HIZ6acQrac for ; Tue, 15 Mar 2016 17:11:38 +0000 (UTC) Received: from mail-qg0-f48.google.com (mail-qg0-f48.google.com [209.85.192.48]) by mx2-lw-eu.apache.org (ASF Mail Server at mx2-lw-eu.apache.org) with ESMTPS id 54B005F5CE for ; Tue, 15 Mar 2016 17:11:37 +0000 (UTC) Received: by mail-qg0-f48.google.com with SMTP id w104so20107896qge.1 for ; Tue, 15 Mar 2016 10:11:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to; bh=p64efFH9kGSruZZ08HGe9GVNDCZsN20UlM3XDRauC+o=; b=CBN02t+ddw/gA7bnmP1eAKO6eUZWdQZgcI4NnINUm8bNww9l/cyOuXhm+JV7hPI5Ci abLFCvTLlEQRYF9TfWVOzXr8ex4RIlgwc/QuHcYNtFJi6chXgwFGwBcB+1HHpuw9VhdG IHGR+COMHN7Q3ykQCyOOPPoGJhXylwyGSw+ZzuwizwV9h73ADzSgkvHPkFYrypr5/3qb GKlzZdvWIbnS4gDqWAdoPqRyxOmKQcLVTEqV8gSry1TJH3D0SLGZzZ33AsnY1I8r3QOB 67s9EkvjZKn1ZUnDgFVXTXIaP7Yw25KYLFs3pwxdPWFSSdYf4JV+A3M9+4QLxTix72qd h2gQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:date :message-id:subject:from:to; bh=p64efFH9kGSruZZ08HGe9GVNDCZsN20UlM3XDRauC+o=; b=Z6T3RmyzFmo6pSQbwGHiMf+Yl7njZOJwjitkQYICW9cEdEXLQg/TgolR+GeqwetrMx Q5gRBbLJALTFw3UuynxiaXzzNXFqrPrxGbpyU1FpoUfyLIiRmjmfa/ymJmn7ykn28CuP KbEmaKeSSEREJ1QwCFFsCQj8pcsQE0t2/F1PCsuCqbMGRK4HhEF9DuVC+zun0P318O1w v1kIWn7sABdh5FNltWh2Wfcg9CKx+FlNiCKF3YfZIbEtB3SK6hm32zpBCiwwffp/o0zR J+8fIRXIlfN1IhK0Zf5lvO30SrZida1aXE16hkmCVXWh8NyY7tOehqwZB/HeT8DenF/B pZyQ== X-Gm-Message-State: AD7BkJIL64pU6w6vyfrCaaN4zYb39cQj+KZJlpxsYVTMadKUmKjzC98gpadSXJvdwBAQ1y7gh6rB0LJto9cnzw== MIME-Version: 1.0 X-Received: by 10.140.164.71 with SMTP id k68mr41795460qhk.97.1458061889790; Tue, 15 Mar 2016 10:11:29 -0700 (PDT) Received: by 10.55.10.7 with HTTP; Tue, 15 Mar 2016 10:11:29 -0700 (PDT) In-Reply-To: <20160311135117.D03C23A031A@svn01-us-west.apache.org> References: <20160311135117.D03C23A031A@svn01-us-west.apache.org> Date: Tue, 15 Mar 2016 18:11:29 +0100 Message-ID: Subject: Re: svn commit: r1734561 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml modules/ssl/mod_ssl.c modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_init.c modules/ssl/ssl_engine_kernel.c modules/ssl/ssl_private.h From: Yann Ylavic To: httpd-dev Content-Type: text/plain; charset=UTF-8 On Fri, Mar 11, 2016 at 2:51 PM, wrote: > Author: ylavic > Date: Fri Mar 11 13:51:17 2016 > New Revision: 1734561 > > URL: http://svn.apache.org/viewvc?rev=1734561&view=rev > Log: > mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive > to opt-in previous behaviour (2.2) with CRLs verification when checking > certificate(s) with no corresponding CRL. I wonder if this commit is not a bit overkill, and if instead of adding new options/flags to "SSLCARevocationCheck chain|leaf option(s)" with this only "no_crl_for_cert_ok" flag for now (will there ever be others?), I'd rather not simply use a new token like "chain-allow-miss"... Anyway I have to fix ssl_callback_SSLVerify() (which uses sc->server->crl_check_flags instead of mctx->crl_check_flags, and hence does not work in the proxy case), so I could be easily convinced to simplify the whole :) Thoughts?