httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Confusion about SSLProxyCheckPeerName/CN
Date Thu, 02 Jun 2016 15:47:57 GMT
This looks like the resulting patch.  Wordsmithing the docs changes today...

On Wed, Jun 1, 2016 at 1:50 PM, Ruediger Pluem <rpluem@apache.org> wrote:

>
> On 06/01/2016 05:45 PM, William A Rowe Jr wrote:
> >
> >   CheckPeerName  CheckPeerCN
> >        on         {ignored}    CheckPeerName verification
> >        unset         unset     CheckPeerName verification
> >        unset         on        CheckPeerName verification?
> >        unset         off       no verification
> >        off           on        *CheckPeerCN* verification
> >        off       unset | off   no verification
> >
> > Because CheckPeerName is a superset of the CheckPeerCN functionality,
> > I don't think there is any harm is using CheckPeerName in this case.
> >
>
> I think CheckPeerName is ok in this case.
>
> Regards
>
> RĂ¼diger
>

 Index: ssl_engine_io.c
===================================================================
--- ssl_engine_io.c (revision 1746587)
+++ ssl_engine_io.c (working copy)
@@ -1189,6 +1189,8 @@
             }
         }
         if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) &&
+            ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) ||
+             (sc->proxy_ssl_check_peer_name == SSL_ENABLED_TRUE)) &&
             hostname_note) {
             apr_table_unset(c->notes, "proxy-request-hostname");
             if (!cert
@@ -1200,7 +1202,7 @@
                               "for hostname %s", hostname_note);
             }
         }
-        else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
+        else if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) &&
             hostname_note) {
             const char *hostname;
             int match = 0;

Mime
View raw message