httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Confusion about SSLProxyCheckPeerName/CN
Date Fri, 03 Jun 2016 14:11:56 GMT
On Jun 2, 2016 7:06 PM, "Daniel Ruggeri" <DRuggeri@primary.net> wrote:
>
> On 6/1/2016 9:19 AM, William A Rowe Jr wrote:
> >
> > Proposal...
> >
> > CheckPeerName  CheckPeerCN
> >  unset | on    unset | on    CheckPeerName verification
> >      off           on        *CheckPeerCN* verification
> >      off       unset | off   no verification
> >  unset | off       off       no verification
> >
> > WDYT?
>
> +1
>
> ... but it is probably a very unlikely scenario for an administrator to
> want to disable checking of SAN entries but to enable checking of CN
> (the off/on scenario above). I'd argue it's reasonable to make both
> directives simple toggles CheckPeerName verification, but I still agree
> that we cannot make an existing config represent X in version 1.2.3 and
> represent Y in version 1.2.4 so CheckPeerCN logic should be retained.

You have me a little confused.

The existing (2.4.20) behavior is a superset of the legacy (2.4.4)
behavior.  Nobody has become confused since 2.4.5 that the program is
suddenly accepting wildcard matches or altSubjectName matches.

They are confused because previously disabling CheckCN no longer disables
the check.

There remains one and only config in the proposed fix which correctly
processes CheckCN, and it happens to mirror a previously explicit and
correct config.

Anyone upgrading since 2.4.4 with no directives at all will gain the
benefit of wildcard and altSubjectName matches, which I don't see as
detrimental.  I think the patch as proposed is the best compromise, and
hope the docs explanation is as clear as can be.

Mime
View raw message