httpd-test-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dominique Quatravaux <...@idealx.com>
Subject Re: svn commit: r148889 - /httpd/test/trunk/perl-framework/t/conf/ssl/ssl.conf.in /httpd/test/trunk/perl-framework/t/ssl/fakeauth.t
Date Fri, 28 Jan 2005 16:42:32 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Joe Orton wrote:

| On Fri, Jan 28, 2005 at 02:40:38PM -0000, geoff@apache.org wrote:
|
|> [...]

|> +                    SSLVerifyClient      require +
|> SSLRequire           %{SSL_CLIENT_VERIFY} eq "SUCCESS" [...]
|
|
| Did you mean SSLVerifyClient optional?  Otherwise the SSLRequire is
|  surely redundant?

Actually, "SSLVerifyClient" means whether to *attempt* to validate the
peer certificate by sending appropriate handshake messages at the SSL
level, renegotiating mid-HTTP-request if need be e.g. because we are
in a <Location> directive.

So Geoff is saying, "you must try" and at the next line "you must also
succeed". With SSLVerifyClient optional, the semantics would be
instead "Don't bother to insist for a certificate", "but if user
forgot it, give him flaming death". Considered inappropriate :-)


- --
Dominique QUATRAVAUX                           Ingénieur senior
01 44 42 00 08                                 IDEALX

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB+mt3MJAKAU3mjcsRAoKlAJ9RjjRgWAYaiIzV55v75mI58MqGuwCgtJLc
JDNVhbtok5mGUXlTIuwn/RQ=
=UbWC
-----END PGP SIGNATURE-----



Mime
View raw message