https://issues.apache.org/bugzilla/show_bug.cgi?id=47492
--- Comment #3 from [email protected] 2010-04-13 17:09:20 EDT --- require Always ask for client certificate and always verfy with ca optional_no_ca some times ask for certificate other dont and never verify with ca and this option require_no_ca always ask for a certificate and never verify its very useful whe you need to ask for a cert but you want to implement you own verify method (like me). This version have a bug but https://issues.apache.org/bugzilla/show_bug.cgi?id=49037 works great. (In reply to comment #2) > I don't understand the difference between this and optional_no_ca. > > I'm pretty sure the Apache documentation is wrong about "optional" not working > with all browsers. The SSL handshake is identical for both "optional" and > "required" (see section 7.4.4 of RFC2246 or the 'REQUEST-CERTIFICATE' section > of http://www.mozilla.org/projects/security/pki/nss/ssl/draft02.html). The > only > difference is that "required" will immediately send a "handshake failure" > alert > and close the connection if a certificate is not received from the client, > while "optional" will ignore the missing certificate and continue. > > I'm guessing the Apache documentation may be referring to older browsers > automatically giving up and closing the connection themselves if a suitable > cert is not available, essentially making the "optional" option the same as > the > "required" option for these browsers. > > So I think you could accomplish the same thing as this patch simply by using > optional_no_ca, then dropping the connection in your application if SSL_VERIFY > is set to NONE. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
