On Sun, Jan 16, 2011 at 11:34:29AM +0100, Kaspar Brand wrote: > On 13.12.2010 15:24, Jim Jagielski wrote: > > At this late in the game, I would prefer to do this post-2.3.10... > > safer that way. > > Polite reminder, according to [1]... :-) I feel it's important because > it addresses PR 49784 and a few additional improvements for the OCSP > checking code (for client auth). > > Patch v2 from December is attached again, for the sake of easier reference.
Thanks a lot for the patch & the prod... I've merged the config options changes with some minor tweaks (OpenSSL seems to stomp on the OCSP_* namespace so I renamed the macros): http://svn.apache.org/viewvc?rev=1059917&view=rev w.r.t. the change to skip OCSP validation for valid self-signed certs, I brought this up a while back: http://www.mail-archive.com/[email protected]/msg38849.html and Stephen said it probably be configurable. Has common practice evolved here such that hard-coding the less strict behaviour is reasonable? Regards, Joe
