On Tue, May 31, 2016 at 11:37 AM, William A Rowe Jr <[email protected]>
wrote:
> It seems the behavior introduced in 2.4.5 is causing a lot
> of confusion for users attempting to disable peer checking.
>
> I would suggest that CheckPeerCN should NOT default to "on" any longer.
> The only valid use case is for the user to actively disable CheckPeerName
> (off), and has still wishes to actively enable CheckPeerCN (on).
>
> But we will need to improve this horrible CheckPeerName documentation for
> users of 2.4.5 through 2.4.20, even if we change the behavior
>
--- ssl_engine_io.c (revision 1746297)
+++ ssl_engine_io.c (working copy)
@@ -1200,7 +1200,7 @@
"for hostname %s", hostname_note);
}
}
- else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
+ else if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) &&
hostname_note) {
const char *hostname;
int match = 0;
Seems to be the entire patch, no?
Bill
