You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rb...@apache.org on 2016/06/07 11:00:53 UTC

svn commit: r1747191 [1/3] - in /httpd/httpd/trunk/docs/manual: mod/core.html.en mod/mod_ssl.html.en mod/quickreference.html.es mod/quickreference.xml.meta vhosts/examples.html.en

Author: rbowen
Date: Tue Jun  7 11:00:52 2016
New Revision: 1747191

URL: http://svn.apache.org/viewvc?rev=1747191&view=rev
Log:
rebuild

Modified:
    httpd/httpd/trunk/docs/manual/mod/core.html.en
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
    httpd/httpd/trunk/docs/manual/mod/quickreference.html.es
    httpd/httpd/trunk/docs/manual/mod/quickreference.xml.meta
    httpd/httpd/trunk/docs/manual/vhosts/examples.html.en

Modified: httpd/httpd/trunk/docs/manual/mod/core.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.html.en?rev=1747191&r1=1747190&r2=1747191&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/core.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/core.html.en Tue Jun  7 11:00:52 2016
@@ -4100,7 +4100,7 @@ to name-virtual hosts</td></tr>
     in the order they appear in the configuration.  The first matching <code class="directive"><a href="#servername">ServerName</a></code> or <code class="directive"><a href="#serveralias">ServerAlias</a></code> is used, with no different precedence for wildcards
     (nor for ServerName vs. ServerAlias).  </p>
 
-    <p>The complete list of names in the <code class="directive">VirtualHost</code>
+    <p>The complete list of names in the <code class="directive"><a href="#virtualhost">&lt;VirtualHost&gt;</a></code>
     directive are treated just like a (non wildcard)
     <code class="directive">ServerAlias</code>.</p>
 
@@ -4126,12 +4126,12 @@ itself</td></tr>
     </p>
 
     <p><code class="directive">ServerName</code> is used (possibly
-    in conjunction with <code class="directive">ServerAlias</code>) to uniquely
+    in conjunction with <code class="directive"><a href="#serveralias">ServerAlias</a></code>) to uniquely
     identify a virtual host, when using <a href="../vhosts/name-based.html">name-based virtual hosts</a>.</p>
 
     <p>Additionally, this is used when
     creating self-referential redirection URLs when 
-    <code class="directive">UseCanonicalName</code> is set to a non-default
+    <code class="directive"><a href="#usecanonicalname">UseCanonicalName</a></code> is set to a non-default
     value.</p>
 
     <p>For example, if the name of the

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en?rev=1747191&r1=1747190&r2=1747191&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.html.en Tue Jun  7 11:00:52 2016
@@ -1607,15 +1607,30 @@ contains the appropriate symbolic links.
 <p>
 This directive sets whether the remote server certificate's CN field is
 compared against the hostname of the request URL. If both are not equal
-a 502 status code (Bad Gateway) is sent.
+a 502 status code (Bad Gateway) is sent. <code>SSLProxyCheckPeerCN</code> is
+superseded by <code class="directive"><a href="#sslproxycheckpeername">SSLProxyCheckPeerName</a></code>
+in release 2.4.5 and later. 
 </p>
 <p>
-In 2.4.5 and later, SSLProxyCheckPeerCN has been superseded by
-<code class="directive"><a href="#sslproxycheckpeername">SSLProxyCheckPeerName</a></code>, and its
-setting is only taken into account when
-<code>SSLProxyCheckPeerName off</code> is specified at the same time.
+In all releases 2.4.5 through 2.4.20, setting
+<code>SSLProxyCheckPeerName off</code> was sufficient to enable this behavior
+(as the <code>SSLProxyCheckPeerCN</code> default was <code>on</code>.) In 
+these releases, both directives must be set to <code>off</code> to completely
+avoid remote server certificate name validation. Many users reported this
+to be very confusing.
 </p>
-<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCheckPeerCN on</pre>
+<p>
+As of release 2.4.21, all configurations which enable either one of the
+<code>SSLProxyCheckPeerName</code> or <code>SSLProxyCheckPeerCN</code> options
+will use the new <code class="directive"><a href="#sslproxycheckpeername">SSLProxyCheckPeerName</a></code>
+behavior, and all configurations which disable either one of the 
+<code>SSLProxyCheckPeerName</code> or <code>SSLProxyCheckPeerCN</code> options
+will supress all remote server certificate name validation. Only the following
+configuration will trigger the legacy certificate CN comparison in 2.4.21 and
+later releases;
+</p>
+<div class="example"><h3>Example</h3><pre class="prettyprint lang-config">SSLProxyCheckPeerCN on
+SSLProxyCheckPeerName off</pre>
 </div>
 
 </div>
@@ -1654,21 +1669,30 @@ sent.
 <tr><th><a href="directive-dict.html#Compatibility">Compatibility:</a></th><td>Apache HTTP Server 2.4.5 and later</td></tr>
 </table>
 <p>
-This directive configures host name checking for server certificates
-when mod_ssl is acting as an SSL client. The check will
-succeed if the host name from the request URI is found in
-either the subjectAltName extension or (one of) the CN attribute(s)
-in the certificate's subject. If the check fails, the SSL request
-is aborted and a 502 status code (Bad Gateway) is returned.
-The directive supersedes <code class="directive"><a href="#sslproxycheckpeercn">SSLProxyCheckPeerCN</a></code>,
-which only checks for the expected host name in the first CN attribute.
+This directive configures host name checking for server certificates when 
+mod_ssl is acting as an SSL client. The check will succeed if the host name 
+from the request URI matches one of the CN attribute(s) of the certificate's 
+subject, or matches the subjectAltName extension. If the check fails, the SSL 
+request is aborted and a 502 status code (Bad Gateway) is returned.
+</p>
+<p>
+Wildcard matching is supported for specific cases: an subjectAltName entry
+of type dNSName, or CN attributes starting with <code>*.</code> will match
+with any host name of the same number of name elements and the same suffix.
+E.g. <code>*.example.org</code> will match <code>foo.example.org</code>,
+but will not match <code>foo.bar.example.org</code>, because the number of
+elements in the respective host names differs.
 </p>
 <p>
-Wildcard matching is supported in one specific flavor: subjectAltName entries
-of type dNSName or CN attributes starting with <code>*.</code> will match
-for any DNS name with the same number of labels and the same suffix
-(i.e., <code>*.example.org</code> matches for <code>foo.example.org</code>,
-but not for <code>foo.bar.example.org</code>).
+This feature was introduced in 2.4.5 and superseded the behavior of the 
+<code class="directive"><a href="#sslproxycheckpeercn">SSLProxyCheckPeerCN</a></code> directive, which 
+only tested the exact value in the first CN attribute against the host name.
+However, many users were confused by the behavior of using these directives
+individually, so the mutual behavior of <code>SSLProxyCheckPeerName</code> 
+and <code>SSLProxyCheckPeerCN</code> directives were improved in release 
+2.4.21. See the <code class="directive"><a href="#sslproxycheckpeercn">SSLProxyCheckPeerCN</a></code> 
+directive description for the original behavior and details of these 
+improvements.
 </p>
 
 </div>