On Tue, Apr 22, 2008 at 06:27:26PM +0200, Dirk-Willem van Gulik wrote: > > On Apr 22, 2008, at 5:53 PM, Joe Orton wrote: >> On Wed, Feb 13, 2008 at 10:00:23AM +0100, Kaspar Brand wrote: >>> While I was testing revocation checking for client certs in an SNI >>> configuration (Dirk, many thanks for make_sni.sh, btw!), I came across a >>> flaw in the current implementation when CRL information - i.e. >>> SSLCARevocationFile/SSLCARevocationPath - is set on a per-vhost basis >>> (don't know how much sense it makes to have non-global CRLs, but >>> anyway...). >> >> Someone bugged me about the SNI support so I finally go round to chasing >> this up. >> >> I hacked up a quick test based on Dirk's make_sni.sh; this adds >> "SSLVerifyClient" & SSLCACertificateFile to the second and third named >> vhosts. >> >> And this confirms my original suspicions: I can access those vhosts >> without having to present a certificate, i.e. the configured access >> control restrictions can be bypassed. If I move the SSLVerifyClient/etc >> to the first vhost, it works as expected. > > Is this fixed by Kasper Brand his patch ? (See his msg from 13/2) ?
That is the patch committed as r627699, right? In which case, no, I'm seeing this behaviour with the current trunk. joe
