This looks like the resulting patch. Wordsmithing the docs changes today...
On Wed, Jun 1, 2016 at 1:50 PM, Ruediger Pluem wrote:
>
> On 06/01/2016 05:45 PM, William A Rowe Jr wrote:
> >
> > CheckPeerName CheckPeerCN
> >on {ignored}CheckPeerName verification
> >unset unset CheckPeerName verification
> >unset onCheckPeerName verification?
> >unset off no verification
> >off on*CheckPeerCN* verification
> >off unset | off no verification
> >
> > Because CheckPeerName is a superset of the CheckPeerCN functionality,
> > I don't think there is any harm is using CheckPeerName in this case.
> >
>
> I think CheckPeerName is ok in this case.
>
> Regards
>
> Rüdiger
>
Index: ssl_engine_io.c
===
--- ssl_engine_io.c (revision 1746587)
+++ ssl_engine_io.c (working copy)
@@ -1189,6 +1189,8 @@
}
}
if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) &&
+((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) ||
+ (sc->proxy_ssl_check_peer_name == SSL_ENABLED_TRUE)) &&
hostname_note) {
apr_table_unset(c->notes, "proxy-request-hostname");
if (!cert
@@ -1200,7 +1202,7 @@
"for hostname %s", hostname_note);
}
}
-else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
+else if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) &&
hostname_note) {
const char *hostname;
int match = 0;