https://issues.apache.org/bugzilla/show_bug.cgi?id=45922
--- Comment #2 from Paul Donohue <[email protected]> 2010-04-14 11:25:28 EDT --- I concur. I have an application that does it's own independent validation and trust checking of the client's certificate, and there are cases where Apache's validation fails and disconnects the client even though I actually want it to ignore the error and let my application deal with it. I still believe the optional_no_ca option is valuable (I think the intent there is to accept valid but untrusted certificates, which is different from accepting invalid certificates), so this should probably be implemented as a new option. I'm attaching two patches (one that applies against 2.2.x and one that applies against trunk) to address this. These patches add a new SSLVerifyClient option ('optional_no_verify') which will accept the certificate regardless of the validation result. These patches include updated documentation which better describes the various SSLVerifyClient options and also corrects the ambiguities in the SSLProxyVerify documentation (which looks like it was copied and pasted from the SSLVerifyClient documentation). These patches also correct the SSL_CLIENT_VERIFY variable so that it actually contains GENEROUS when verification fails but is accepted anyway (as per the existing documentation, see bug #45054), and so that it contains the verification error message if verification failed but was accepted anyway. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
