This looks like the resulting patch. Wordsmithing the docs changes today...
On Wed, Jun 1, 2016 at 1:50 PM, Ruediger Pluem <rpl...@apache.org> wrote: > > On 06/01/2016 05:45 PM, William A Rowe Jr wrote: > > > > CheckPeerName CheckPeerCN > > on {ignored} CheckPeerName verification > > unset unset CheckPeerName verification > > unset on CheckPeerName verification? > > unset off no verification > > off on *CheckPeerCN* verification > > off unset | off no verification > > > > Because CheckPeerName is a superset of the CheckPeerCN functionality, > > I don't think there is any harm is using CheckPeerName in this case. > > > > I think CheckPeerName is ok in this case. > > Regards > > RĂ¼diger > Index: ssl_engine_io.c =================================================================== --- ssl_engine_io.c (revision 1746587) +++ ssl_engine_io.c (working copy) @@ -1189,6 +1189,8 @@ } } if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) && + ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) || + (sc->proxy_ssl_check_peer_name == SSL_ENABLED_TRUE)) && hostname_note) { apr_table_unset(c->notes, "proxy-request-hostname"); if (!cert @@ -1200,7 +1202,7 @@ "for hostname %s", hostname_note); } } - else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && + else if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) && hostname_note) { const char *hostname; int match = 0;