httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <DRugg...@primary.net>
Subject Re: Confusion about SSLProxyCheckPeerName/CN
Date Fri, 03 Jun 2016 00:06:24 GMT
On 6/1/2016 9:19 AM, William A Rowe Jr wrote:
>
> Proposal...
>
> CheckPeerName  CheckPeerCN
>  unset | on    unset | on    CheckPeerName verification
>      off           on        *CheckPeerCN* verification
>      off       unset | off   no verification
>  unset | off       off       no verification
>
> WDYT?

+1

... but it is probably a very unlikely scenario for an administrator to
want to disable checking of SAN entries but to enable checking of CN
(the off/on scenario above). I'd argue it's reasonable to make both
directives simple toggles CheckPeerName verification, but I still agree
that we cannot make an existing config represent X in version 1.2.3 and
represent Y in version 1.2.4 so CheckPeerCN logic should be retained.

-- 
Daniel Ruggeri


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message