On Tue, May 31, 2016 at 11:37 AM, William A Rowe Jr <wr...@rowe-clan.net> wrote:
> It seems the behavior introduced in 2.4.5 is causing a lot > of confusion for users attempting to disable peer checking. > > I would suggest that CheckPeerCN should NOT default to "on" any longer. > The only valid use case is for the user to actively disable CheckPeerName > (off), and has still wishes to actively enable CheckPeerCN (on). > > But we will need to improve this horrible CheckPeerName documentation for > users of 2.4.5 through 2.4.20, even if we change the behavior > --- ssl_engine_io.c (revision 1746297) +++ ssl_engine_io.c (working copy) @@ -1200,7 +1200,7 @@ "for hostname %s", hostname_note); } } - else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && + else if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) && hostname_note) { const char *hostname; int match = 0; Seems to be the entire patch, no? Bill