You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/04/29 18:18:21 UTC

svn commit: r769815 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_io.c

Author: rpluem
Date: Wed Apr 29 16:18:21 2009
New Revision: 769815

URL: http://svn.apache.org/viewvc?rev=769815&view=rev
Log:
* Set SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN to on by default.

Modified:
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/modules/ssl/ssl_engine_io.c

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=769815&r1=769814&r2=769815&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Apr 29 16:18:21 2009
@@ -1537,7 +1537,7 @@
 <description>Whether to check if remote server certificate is expired
 </description>
 <syntax>SSLProxyCheckPeerExpire on|off</syntax>
-<default>SSLProxyCheckPeerExpire off</default>
+<default>SSLProxyCheckPeerExpire on</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 
@@ -1558,7 +1558,7 @@
 <description>Whether to check the remote server certificates CN field
 </description>
 <syntax>SSLProxyCheckPeerCN on|off</syntax>
-<default>SSLProxyCheckPeerCN off</default>
+<default>SSLProxyCheckPeerCN on</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=769815&r1=769814&r2=769815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Wed Apr 29 16:18:21 2009
@@ -1073,7 +1073,7 @@
             return MODSSL_ERROR_BAD_GATEWAY;
         }
 
-        if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
+        if (sc->proxy_ssl_check_peer_expire != SSL_ENABLED_FALSE) {
             cert = SSL_get_peer_certificate(filter_ctx->pssl);
             if (!cert
                 || (X509_cmp_current_time(
@@ -1091,7 +1091,7 @@
             }
             X509_free(cert);
         }
-        if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE)
+        if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE)
             && ((hostname_note =
                  apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
             const char *hostname;