httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: Confusion about SSLProxyCheckPeerName/CN
Date Wed, 01 Jun 2016 15:45:06 GMT
On Wed, Jun 1, 2016 at 9:46 AM, Ruediger Pluem <rpluem@apache.org> wrote:

>
>
> On 06/01/2016 04:19 PM, William A Rowe Jr wrote:
> > Correcting one typo, below...
> >
> > On Wed, Jun 1, 2016 at 9:19 AM, William A Rowe Jr <wrowe@rowe-clan.net
> <mailto:wrowe@rowe-clan.net>> wrote:
> >
> >
> >     Proposal...
> >
> >     CheckPeerName  CheckPeerCN
> >      unset | on    unset | on    CheckPeerName verification
> >          off           on        *CheckPeerCN* verification
> >          off       unset | off   no verification
> >      unset | off       off       no verification
> >
> >     WDYT?
> >
> >
> >
>
> In general yes plus
>
> CheckPeerName  CheckPeerCN
>       on    unset | off    CheckPeerName verification
>

What about one more exceptional case... where the

CheckPeerCN On

is the only directive?  Do we still want to enable CheckPeerName by default?

  CheckPeerName  CheckPeerCN
       on         {ignored}    CheckPeerName verification
       unset         unset     CheckPeerName verification
       unset         on        CheckPeerName or CheckPeerCN verification?
       unset         off       no verification
       off           on        *CheckPeerCN* verification
       off       unset | off   no verification

Because CheckPeerName is a superset of the CheckPeerCN functionality,
I don't think there is any harm is using CheckPeerName in this case.

Mime
View raw message