You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rp...@apache.org on 2009/04/29 18:18:21 UTC
svn commit: r769815 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml
modules/ssl/ssl_engine_io.c
Author: rpluem
Date: Wed Apr 29 16:18:21 2009
New Revision: 769815
URL: http://svn.apache.org/viewvc?rev=769815&view=rev
Log:
* Set SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN to on by default.
Modified:
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=769815&r1=769814&r2=769815&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Wed Apr 29 16:18:21 2009
@@ -1537,7 +1537,7 @@
<description>Whether to check if remote server certificate is expired
</description>
<syntax>SSLProxyCheckPeerExpire on|off</syntax>
-<default>SSLProxyCheckPeerExpire off</default>
+<default>SSLProxyCheckPeerExpire on</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
@@ -1558,7 +1558,7 @@
<description>Whether to check the remote server certificates CN field
</description>
<syntax>SSLProxyCheckPeerCN on|off</syntax>
-<default>SSLProxyCheckPeerCN off</default>
+<default>SSLProxyCheckPeerCN on</default>
<contextlist><context>server config</context>
<context>virtual host</context></contextlist>
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_io.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_io.c?rev=769815&r1=769814&r2=769815&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_io.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_io.c Wed Apr 29 16:18:21 2009
@@ -1073,7 +1073,7 @@
return MODSSL_ERROR_BAD_GATEWAY;
}
- if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
+ if (sc->proxy_ssl_check_peer_expire != SSL_ENABLED_FALSE) {
cert = SSL_get_peer_certificate(filter_ctx->pssl);
if (!cert
|| (X509_cmp_current_time(
@@ -1091,7 +1091,7 @@
}
X509_free(cert);
}
- if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE)
+ if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE)
&& ((hostname_note =
apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
const char *hostname;