https://issues.apache.org/bugzilla/show_bug.cgi?id=45058
Christoph Anton Mitterer <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|enhancement |normal --- Comment #3 from Christoph Anton Mitterer <[email protected]> --- I've reported an request to the editors of the CGI specification, where I present two possible solution to deal with the problem from the standard side: http://www.rfc-editor.org/errata_search.php?eid=3556 To comment on Emmanuel's original idea of having AUTH_TYPE set to e.g. "Certificate"... IMHO that's a bad idea, especially using a non standardised type-name will sooner or later cause troubles. Further I increased the severity to "normal". IMHO this is not only an enhancement... in the real world, many CGI programs depend on AUTH_TYPE... and it's very common to e.g. use SSL/TLS client auth + fakeBasicAuth with them... but now those programs won't realise... that BasicAuth information is present and fail. For that reason, may I ask the mod_ssl maintainers to think about intermediate solutions (until the standard might be updated). One possibility would be to simply set the AUTH_TYPE, as if SSL wasn't used... This is surely not a clean solution, but will probably work in all scenarios, as noone expects AUTH_TYPE to contain SSL/TLS related info (it never did). Another way would be adding a new directive, that allows to specify the behaviour of AUTH_TYPE when it was used with SSL. Cheers, Chris. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
