On 17.8.12 13:59, [email protected] wrote: > Author: jorton > Date: Fri Aug 17 11:59:45 2012 > New Revision: 1374214 > > URL: http://svn.apache.org/viewvc?rev=1374214&view=rev > Log: > * modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs): Fix test for > missing decrypted private keys, and ensure that the keypair matches.
[...] > @@ -1412,6 +1421,8 @@ static void ssl_init_proxy_certs(server_ > ssl_die(s); > } > > + /* ### Why is all the following done? Why is it necessary or > + * useful for the server to try to verify its own client cert? */ It's the somewhat surprising way to let OpenSSL build the chain of the client cert, cf. http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%[email protected]%3E http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%[email protected]%3E http://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%[email protected]%3E Kaspar
