On Fri, Mar 11, 2016 at 2:51 PM, <[email protected]> wrote: > Author: ylavic > Date: Fri Mar 11 13:51:17 2016 > New Revision: 1734561 > > URL: http://svn.apache.org/viewvc?rev=1734561&view=rev > Log: > mod_ssl: Add no_crl_for_cert_ok flag to SSLCARevocationCheck directive > to opt-in previous behaviour (2.2) with CRLs verification when checking > certificate(s) with no corresponding CRL.
I wonder if this commit is not a bit overkill, and if instead of adding new options/flags to "SSLCARevocationCheck chain|leaf option(s)" with this only "no_crl_for_cert_ok" flag for now (will there ever be others?), I'd rather not simply use a new token like "chain-allow-miss"... Anyway I have to fix ssl_callback_SSLVerify() (which uses sc->server->crl_check_flags instead of mctx->crl_check_flags, and hence does not work in the proxy case), so I could be easily convinced to simplify the whole :) Thoughts?
