https://issues.apache.org/bugzilla/show_bug.cgi?id=47492
Paul Donohue <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #2 from Paul Donohue <[email protected]> 2010-04-13 16:52:43 EDT --- I don't understand the difference between this and optional_no_ca. I'm pretty sure the Apache documentation is wrong about "optional" not working with all browsers. The SSL handshake is identical for both "optional" and "required" (see section 7.4.4 of RFC2246 or the 'REQUEST-CERTIFICATE' section of http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html). The only difference is that "required" will immediately send a "handshake failure" alert and close the connection if a certificate is not received from the client, while "optional" will ignore the missing certificate and continue. I'm guessing the Apache documentation may be referring to older browsers automatically giving up and closing the connection themselves if a suitable cert is not available, essentially making the "optional" option the same as the "required" option for these browsers. So I think you could accomplish the same thing as this patch simply by using optional_no_ca, then dropping the connection in your application if SSL_VERIFY is set to NONE. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
