https://bz.apache.org/bugzilla/show_bug.cgi?id=70003
--- Comment #6 from Joe Orton <[email protected]> --- Thanks Simon and Dirk! I have a strong preference for not adding another mod_ssl config option. And I've always hated "SSLVerify optional_no_ca"... it's grossly underspecified. Why are only that specific set of X.509 verification errors ignored? If we add more (like in https://github.com/apache/httpd/pull/192 ) does that not change the security model entirely for anybody who somehow relies on / uses that? I think if I'd design it from scratch I'd have an optional 2nd argument for SSLVerifyClient SSLVerifyClient optional <comma-separated-list-of-failures> and then have keywords which map to the X509_V_* constants. So I'd look at a PR for that. And "optional_no_ca" could become syntactic sugar for: SSLVerifyClient optional self-signed,untrusted-cert,expired-cert or similar. Then handling X509_V_ERR_INVALID_PURPOSE is just another keyword in that list. Does that make sense? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
