DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=35083>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=35083 ------- Additional Comments From [EMAIL PROTECTED] 2005-08-31 12:33 ------- The specific configuration I'm talking about would be: SSLVerifyClient optional_no_ca SSLRequire %{SSL_VERIFY_CLIENT} eq "SUCCESS" ErrorDocument 403 /bzzt.html but, I guess for the case where the cert has been revoked by a CRL, or the cert has expired, this is not sufficient, since the handshake will fail in those cases. So the minimal enhancement that I think is acceptable is to have more fine-grained failure modes for SSLVerifyClient. e.g. SSLVerifyCLient optional_revoked SSLVerifyClient optional_expired or something like that. Maybe ideally it would be possible to combine such options perhaps, allowing SSLVerifyClient optional no_ca revoked expired or using a separate directive: SSLVerifyClient optional SSLVerifyIgnoreFailures no_ca revoked expired I'm not sure about the best UI here. So I think a patch for something like this would be acceptable and is the best way to implement this feature. This is critical code and has a bad security history though so it needs to be done carefully. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
