All, I'm starting to use SSLVerifyClient. I can't find any documentation on exactly what it means to verify a client, however.
By reading the source, I found that some of the work is delegated to OpenSSL and its behavior is somewhat documented here: http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html. When it says "signatures and issuer attributes are checked," I assume it's checking that the issuer is trusted and the cert is not expired. Do you know of anything else? Also, does Apache itself do anything besides this? I can't really read the C source well enough to know (ssl_engine_kernel's ssl_callback_SSLVerify function seems to be the place.) For example, is there anything that checks that the request is coming from the host identified in the cert? I assume there is but don't see anything like that in the src. Thanks John
