httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ruediger Pluem <rpl...@apache.org>
Subject Re: Confusion about SSLProxyCheckPeerName/CN
Date Wed, 01 Jun 2016 18:50:24 GMT


On 06/01/2016 05:45 PM, William A Rowe Jr wrote:
> 
> 
> On Wed, Jun 1, 2016 at 9:46 AM, Ruediger Pluem <rpluem@apache.org <mailto:rpluem@apache.org>>
wrote:
> 
> 
> 
>     On 06/01/2016 04:19 PM, William A Rowe Jr wrote:
>     > Correcting one typo, below...
>     >
>     > On Wed, Jun 1, 2016 at 9:19 AM, William A Rowe Jr <wrowe@rowe-clan.net <mailto:wrowe@rowe-clan.net>
<mailto:wrowe@rowe-clan.net <mailto:wrowe@rowe-clan.net>>> wrote:
>     >
>     >
>     >     Proposal...
>     >
>     >     CheckPeerName  CheckPeerCN
>     >      unset | on    unset | on    CheckPeerName verification
>     >          off           on        *CheckPeerCN* verification
>     >          off       unset | off   no verification
>     >      unset | off       off       no verification
>     >
>     >     WDYT?
>     >
>     >
>     >
> 
>     In general yes plus
> 
>     CheckPeerName  CheckPeerCN
>           on    unset | off    CheckPeerName verification
> 
> 
> What about one more exceptional case... where the
> 
> CheckPeerCN On
> 
> is the only directive?  Do we still want to enable CheckPeerName by default?
> 
>   CheckPeerName  CheckPeerCN
>        on         {ignored}    CheckPeerName verification
>        unset         unset     CheckPeerName verification
>        unset         on        CheckPeerName or CheckPeerCN verification?

I think CheckPeerName is ok in this case.

>        unset         off       no verification
>        off           on        *CheckPeerCN* verification
>        off       unset | off   no verification
>    
> Because CheckPeerName is a superset of the CheckPeerCN functionality,
> I don't think there is any harm is using CheckPeerName in this case.
> 
>  

Regards

RĂ¼diger

---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message