https://bz.apache.org/bugzilla/show_bug.cgi?id=61984
--- Comment #4 from Dan Oliver <[email protected]> --- If certs are not being authenticated then SSL is not being setup properly. I'm not saying that someone shouldn't be able to do something incredibly dangerous, but it shouldn't be the default. In the case of someone setting up an rproxy on an untrusted network, if someone incorrectly assumes that perhaps their CACertificateFile they have already provided for their front end SSL configuration is also being used on the back end (not understanding there is a separate SSLProxyCACertificateWhatever) and they perform their initial setup with certs that are signed by a signer from their front end, they may not realize that no verification of the certificate is being done at all. That is to say someone might understand how to theoretically set up an SSL connection on an untrusted network, but the configuration directives and defaults are not intuitive and without a careful read of the documentation could be deployed unsecurely even by an experienced individual. The documentation should definitely be more clear, but being that the default should be updated. I have NEVER seen another program that when set up to use SSL does not attempt to properly verify the certificate by default. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
