View | Details | Raw Unified | Return to bug 45922
Collapse All | Expand All

(-)docs/manual/mod/mod_ssl.xml (-36 / +71 lines)
Lines 81-87 Link Here
81
<tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
81
<tr><td><code>SSL_CLIENT_A_KEY</code></td>              <td>string</td>    <td>Algorithm used for the public key of client's certificate</td></tr>
82
<tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
82
<tr><td><code>SSL_CLIENT_CERT</code></td>               <td>string</td>    <td>PEM-encoded client certificate</td></tr>
83
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
83
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td>    <td>PEM-encoded certificates in client certificate chain</td></tr>
84
<tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
84
<tr><td><code>SSL_CLIENT_VERIFY</code></td>             <td>string</td>    <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS:<em>reason</em></code> or <code>FAILED:</code><em>reason</em></td></tr>
85
<tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
85
<tr><td><code>SSL_SERVER_M_VERSION</code></td>          <td>string</td>    <td>The version of the server certificate</td></tr>
86
<tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
86
<tr><td><code>SSL_SERVER_M_SERIAL</code></td>           <td>string</td>    <td>The serial of the server certificate</td></tr>
87
<tr><td><code>SSL_SERVER_S_DN</code></td>               <td>string</td>    <td>Subject DN in server's certificate</td></tr>
87
<tr><td><code>SSL_SERVER_S_DN</code></td>               <td>string</td>    <td>Subject DN in server's certificate</td></tr>
Lines 987-1017 Link Here
987
987
988
<usage>
988
<usage>
989
<p>
989
<p>
990
This directive sets the Certificate verification level for the Client
990
This directive sets the Certificate verification level for Client Certificate
991
Authentication. Notice that this directive can be used both in per-server and
991
Authentication. Notice that this directive can be used both in per-server and
992
per-directory context. In per-server context it applies to the client
992
per-directory context. In per-server context it applies to the client
993
authentication process used in the standard SSL handshake when a connection is
993
authentication process in the initial SSL handshake when a connection is
994
established. In per-directory context it forces a SSL renegotation with the
994
established. In per-directory context it forces a SSL renegotation with the
995
reconfigured client verification level after the HTTP request was read but
995
reconfigured client verification level after the HTTP request is read but
996
before the HTTP response is sent.</p>
996
before the HTTP response is sent.</p>
997
<p>
997
<p>
998
The following levels are available for <em>level</em>:</p>
998
The following levels are available for <em>level</em>:</p>
999
<ul>
999
<ul>
1000
<li><strong>none</strong>:
1000
<li><code>none</code>
1001
     no client Certificate is required at all</li>
1001
    <p>No client Certificate is requested.</p></li>
1002
<li><strong>optional</strong>:
1002
<li><code>optional_no_verify</code>
1003
     the client <em>may</em> present a valid Certificate</li>
1003
    <p>The client is asked to present a Certificate signed by one of our
1004
<li><strong>require</strong>:
1004
    trusted CA Certificates, but will be accepted even if no Certificate is
1005
     the client <em>has to</em> present a valid Certificate</li>
1005
    provided, if the provided Certificate is not signed by one of our trusted
1006
<li><strong>optional_no_ca</strong>:
1006
    CA Certificates, or if the provided Certificate has been revoked or is
1007
     the client may present a valid Certificate<br />
1007
    otherwise invalid.</p></li>
1008
     but it need not to be (successfully) verifiable.</li>
1008
<li><code>optional_no_ca</code>
1009
    <p>The client is asked to present a Certificate signed by one of our
1010
    trusted CA Certificates, and will be accepted even if no Certificate is
1011
    provided or if the provided Certificate is not signed by one of our trusted
1012
    CA Certificates, but will be disconnected if the provided Certificate has
1013
    been revoked or is otherwise invalid.</p></li>
1014
<li><code>optional</code>
1015
    <p>The client is asked to present a Certificate signed by one of our
1016
    trusted CA Certificates, and will be accepted even if no Certificate is
1017
    provided, but will be disconnected if the provided Certificate is not
1018
    signed by one of our trusted CA Certificates, has been revoked, or is
1019
    otherwise invalid.</p></li>
1020
<li><code>require</code>
1021
    <p>The client is asked to present a Certificate signed by one of our
1022
    trusted CA Certificates, and will be disconnected if no Certificate is
1023
    provided, if the provided Certificate is not signed by on of our trusted CA
1024
    Certificates, or if the provided Certificate has been revoked or is
1025
    otherwise invalid.</p></li>
1009
</ul>
1026
</ul>
1010
<p>In practice only levels <strong>none</strong> and
1027
<p>In practice, most users will want either <strong>none</strong> or
1011
<strong>require</strong> are really interesting, because level
1028
<strong>require</strong>, as the other levels allow users to bypass the
1012
<strong>optional</strong> doesn't work with all browsers and level
1029
authentication mechanism.  However, the other levels may be useful for testing,
1013
<strong>optional_no_ca</strong> is actually against the idea of
1030
or if your web application does it's own Certificate verification.</p>
1014
authentication (but can be used to establish SSL test pages, etc.)</p>
1031
<p>See the <directive module="mod_ssl">SSLCACertificateFile</directive> and
1032
<directive module="mod_ssl">SSLCACertificatePath</directive> directives to
1033
configure the list of trusted CA Certificates.</p>
1034
<p>If using one of the <strong>optional</strong> levels, note that if the
1035
client does not have a suitable Certificate signed by one of the specified
1036
trusted CAs, most browsers will attempt to continue without providing a
1037
Certificate, but some browsers may give up and disconnect on their own.</p>
1038
<p>If using <strong>optional_no_ca</strong> or
1039
<strong>optional_no_verify</strong>, you can request any available Certificate
1040
(signed by any CA) from most browsers by creating a file containing only a
1041
single space character, and pointing SSLCACertificateFile at that file.</p>
1015
<example><title>Example</title>
1042
<example><title>Example</title>
1016
SSLVerifyClient require
1043
SSLVerifyClient require
1017
</example>
1044
</example>
Lines 1448-1461 Link Here
1448
<usage>
1475
<usage>
1449
1476
1450
<p>When a proxy is configured to forward requests to a remote SSL
1477
<p>When a proxy is configured to forward requests to a remote SSL
1451
server, this directive can be used to configure certificate
1478
server, this directive can be used to configure verification of the
1452
verification of the remote server.  Notice that this directive can be
1479
remote server's SSL Certificate. Notice that this directive can be
1453
used both in per-server and per-directory context. In per-server
1480
used both in per-server and per-directory context. In per-server
1454
context it applies to the remote server authentication process used in
1481
context it applies to the remote server authentication process used in
1455
the standard SSL handshake when a connection is established by the
1482
the initial SSL handshake when a connection is established by the
1456
proxy. In per-directory context it forces a SSL renegotation with the
1483
proxy. In per-directory context it forces a SSL renegotation with the
1457
reconfigured remote server verification level after the HTTP request
1484
reconfigured remote server verification level after the HTTP request
1458
was read but before the HTTP response is sent.</p>
1485
is read but before the HTTP response is sent.</p>
1459
1486
1460
<note type="warning">
1487
<note type="warning">
1461
<p>Note that even when certificate verification is enabled,
1488
<p>Note that even when certificate verification is enabled,
Lines 1477-1497 Link Here
1477
<p>
1504
<p>
1478
The following levels are available for <em>level</em>:</p>
1505
The following levels are available for <em>level</em>:</p>
1479
<ul>
1506
<ul>
1480
<li><strong>none</strong>:
1507
<li><code>none</code>
1481
     no remote server Certificate is required at all</li>
1508
    <p>No remote server Certificate verification will be performed.</p></li>
1482
<li><strong>optional</strong>:
1509
<li><code>optional_no_verify</code>
1483
     the remote server <em>may</em> present a valid Certificate</li>
1510
    <p>If the remote server provides a Certificate, it will be verified, but
1484
<li><strong>require</strong>:
1511
    the result will be ignored.</p></li>
1485
     the remote server <em>has to</em> present a valid Certificate</li>
1512
<li><code>optional_no_ca</code>
1486
<li><strong>optional_no_ca</strong>:
1513
    <p>If the remote server provides a Certificate, it will be verified. The
1487
     the remote server may present a valid Certificate<br />
1514
    connection will be accepted even if the Certificate is not signed by one of
1488
     but it need not to be (successfully) verifiable.</li>
1515
    the CAs listed in
1516
    <directive module="mod_ssl">SSLProxyCACertificateFile</directive> or
1517
    <directive module="mod_ssl">SSLProxyCACertificatePath</directive>, but will
1518
    be rejected if verification fails for any other reason.</p></li>
1519
<li><code>optional</code>
1520
    <p>If the remote server provides a Certificate, it will be verified, and the
1521
    connection will be rejected if verification fails.</p></li>
1522
<li><code>require</code>
1523
    <p>The connection will be rejected unless the remote server provides a
1524
    Certificate and that Certificate is successfully verified.</p></li>
1489
</ul>
1525
</ul>
1490
<p>In practice only levels <strong>none</strong> and
1526
<p>In practice, most users will want either <strong>none</strong> or
1491
<strong>require</strong> are really interesting, because level
1527
<strong>require</strong>, as the other levels allow a remote server to bypass
1492
<strong>optional</strong> doesn't work with all servers and level
1528
the authentication mechanism.  However, the other levels may be useful for
1493
<strong>optional_no_ca</strong> is actually against the idea of
1529
testing.</p>
1494
authentication (but can be used to establish SSL test pages, etc.)</p>
1495
<example><title>Example</title>
1530
<example><title>Example</title>
1496
SSLProxyVerify require
1531
SSLProxyVerify require
1497
</example>
1532
</example>
(-)modules/ssl/ssl_private.h (-1 / +2 lines)
Lines 229-235 Link Here
229
    SSL_CVERIFY_NONE            = 0,
229
    SSL_CVERIFY_NONE            = 0,
230
    SSL_CVERIFY_OPTIONAL        = 1,
230
    SSL_CVERIFY_OPTIONAL        = 1,
231
    SSL_CVERIFY_REQUIRE         = 2,
231
    SSL_CVERIFY_REQUIRE         = 2,
232
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3
232
    SSL_CVERIFY_OPTIONAL_NO_CA  = 3,
233
    SSL_CVERIFY_OPTIONAL_NO_VERIFY = 4
233
} ssl_verify_t;
234
} ssl_verify_t;
234
235
235
#define SSL_VERIFY_PEER_STRICT \
236
#define SSL_VERIFY_PEER_STRICT \
(-)modules/ssl/ssl_engine_init.c (-1 / +2 lines)
Lines 534-540 Link Here
534
    }
534
    }
535
535
536
    if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
536
    if ((mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
537
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
537
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
538
        (mctx->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
538
    {
539
    {
539
        verify |= SSL_VERIFY_PEER;
540
        verify |= SSL_VERIFY_PEER;
540
    }
541
    }
(-)modules/ssl/ssl_engine_config.c (+3 lines)
Lines 938-943 Link Here
938
    else if (strcEQ(arg, "optional_no_ca")) {
938
    else if (strcEQ(arg, "optional_no_ca")) {
939
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
939
        *id = SSL_CVERIFY_OPTIONAL_NO_CA;
940
    }
940
    }
941
    else if (strcEQ(arg, "optional_no_verify")) {
942
        *id = SSL_CVERIFY_OPTIONAL_NO_VERIFY;
943
    }
941
    else {
944
    else {
942
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
945
        return apr_pstrcat(parms->temp_pool, parms->cmd->name,
943
                           ": Invalid argument '", arg, "'",
946
                           ": Invalid argument '", arg, "'",
(-)modules/ssl/ssl_engine_io.c (-10 / +12 lines)
Lines 1169-1176 Link Here
1169
    if ((verify_result != X509_V_OK) ||
1169
    if ((verify_result != X509_V_OK) ||
1170
        sslconn->verify_error)
1170
        sslconn->verify_error)
1171
    {
1171
    {
1172
        if (ssl_verify_error_is_optional(verify_result) &&
1172
        const char *error = sslconn->verify_error ?
1173
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
1173
            sslconn->verify_error :
1174
            X509_verify_cert_error_string(verify_result);
1175
1176
        if ((ssl_verify_error_is_optional(verify_result) &&
1177
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
1178
            sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY)
1174
        {
1179
        {
1175
            /* leaving this log message as an error for the moment,
1180
            /* leaving this log message as an error for the moment,
1176
             * according to the mod_ssl docs:
1181
             * according to the mod_ssl docs:
Lines 1181-1197 Link Here
1181
             * in 1.x
1186
             * in 1.x
1182
             */
1187
             */
1183
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1188
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1184
                          "SSL client authentication failed, "
1189
                          "SSL client authentication failed, accepting "
1185
                          "accepting certificate based on "
1190
                          "certificate based on \"SSLVerifyClient "
1186
                          "\"SSLVerifyClient optional_no_ca\" "
1191
                          "optional_no_ca\" or \"SSLVerifyClient "
1187
                          "configuration");
1192
                          "optional_no_verify\" configuration: %s",
1193
                          error ? error : "unknown");
1188
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
1194
            ssl_log_ssl_error(APLOG_MARK, APLOG_INFO, server);
1189
        }
1195
        }
1190
        else {
1196
        else {
1191
            const char *error = sslconn->verify_error ?
1192
                sslconn->verify_error :
1193
                X509_verify_cert_error_string(verify_result);
1194
1195
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1197
            ap_log_cerror(APLOG_MARK, APLOG_INFO, 0, c,
1196
                         "SSL client authentication failed: %s",
1198
                         "SSL client authentication failed: %s",
1197
                         error ? error : "unknown");
1199
                         error ? error : "unknown");
(-)modules/ssl/ssl_engine_vars.c (-2 / +5 lines)
Lines 611-619 Link Here
611
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
611
    else if (vrc == X509_V_OK && verr == NULL && vinfo == NULL && xs != NULL)
612
        /* client verification done successful */
612
        /* client verification done successful */
613
        result = "SUCCESS";
613
        result = "SUCCESS";
614
    else if (vrc == X509_V_OK && vinfo != NULL && strEQ(vinfo, "GENEROUS"))
614
    else if (vinfo != NULL && strEQ(vinfo, "GENEROUS"))
615
        /* client verification done in generous way */
615
        /* client verification done in generous way */
616
        result = "GENEROUS";
616
        if (verr)
617
            result = apr_psprintf(p, "GENEROUS:%s", verr);
618
        else
619
            result = "GENEROUS";
617
    else
620
    else
618
        /* client verification failed */
621
        /* client verification failed */
619
        result = apr_psprintf(p, "FAILED:%s", verr);
622
        result = apr_psprintf(p, "FAILED:%s", verr);
(-)modules/ssl/ssl_engine_kernel.c (-22 / +58 lines)
Lines 454-460 Link Here
454
     * We force a renegotiation if the reconfigured/new verify type is
454
     * We force a renegotiation if the reconfigured/new verify type is
455
     * stronger than the currently active verify type.
455
     * stronger than the currently active verify type.
456
     *
456
     *
457
     * The order is: none << optional_no_ca << optional << require
457
     * The order is: none << optional_no_verify << optional_no_ca << optional << require
458
     *
458
     *
459
     * Additionally the following optimization is possible here: When the
459
     * Additionally the following optimization is possible here: When the
460
     * currently active verify type is "none" but a client certificate is
460
     * currently active verify type is "none" but a client certificate is
Lines 476-483 Link Here
476
476
477
        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
477
        if ((dc->nVerifyClient == SSL_CVERIFY_OPTIONAL) ||
478
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
478
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_CA) ||
479
            (dc->nVerifyClient == SSL_CVERIFY_OPTIONAL_NO_VERIFY) ||
479
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
480
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL) ||
480
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA))
481
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_CA) ||
482
            (sc->server->auth.verify_mode == SSL_CVERIFY_OPTIONAL_NO_VERIFY))
481
        {
483
        {
482
            verify |= SSL_VERIFY_PEER;
484
            verify |= SSL_VERIFY_PEER;
483
        }
485
        }
Lines 1354-1367 Link Here
1354
    }
1356
    }
1355
1357
1356
    if (ssl_verify_error_is_optional(errnum) &&
1358
    if (ssl_verify_error_is_optional(errnum) &&
1357
        (verify == SSL_CVERIFY_OPTIONAL_NO_CA))
1359
        ((verify == SSL_CVERIFY_OPTIONAL_NO_CA) ||
1360
         (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY)))
1358
    {
1361
    {
1359
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1362
        ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1360
                      "Certificate Verification: Verifiable Issuer is "
1363
                      "Certificate Verification: Error (%d) but verifiable "
1361
                      "configured as optional, therefore we're accepting "
1364
                      "Issuer is configured as optional, therefore we're "
1362
                      "the certificate");
1365
                      "accepting the certificate: %s", errnum,
1366
                      X509_verify_cert_error_string(errnum));
1363
1367
1364
        sslconn->verify_info = "GENEROUS";
1368
        sslconn->verify_info = "GENEROUS";
1369
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1365
        ok = TRUE;
1370
        ok = TRUE;
1366
    }
1371
    }
1367
1372
Lines 1378-1393 Link Here
1378
     * If we already know it's not ok, log the real reason
1383
     * If we already know it's not ok, log the real reason
1379
     */
1384
     */
1380
    if (!ok) {
1385
    if (!ok) {
1381
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1386
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1382
                      "Certificate Verification: Error (%d): %s",
1387
            ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, conn,
1383
                      errnum, X509_verify_cert_error_string(errnum));
1388
                          "Certificate Verification: Error (%d) but "
1389
                          "verification is configured as optional, therefore "
1390
                          "we're accepting the certificate: %s", errnum,
1391
                          X509_verify_cert_error_string(errnum));
1384
1392
1385
        if (sslconn->client_cert) {
1393
            sslconn->verify_info = "GENEROUS";
1386
            X509_free(sslconn->client_cert);
1394
            if (!sslconn->verify_error) {
1387
            sslconn->client_cert = NULL;
1395
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
1396
            }
1397
            ok = TRUE;
1388
        }
1398
        }
1389
        sslconn->client_dn = NULL;
1399
        else {
1390
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1400
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1401
                          "Certificate Verification: Error (%d): %s",
1402
                          errnum, X509_verify_cert_error_string(errnum));
1403
1404
            if (sslconn->client_cert) {
1405
                X509_free(sslconn->client_cert);
1406
                sslconn->client_cert = NULL;
1407
            }
1408
            sslconn->client_dn = NULL;
1409
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
1410
        }
1391
    }
1411
    }
1392
1412
1393
    /*
1413
    /*
Lines 1401-1416 Link Here
1401
    }
1421
    }
1402
1422
1403
    if (errdepth > depth) {
1423
    if (errdepth > depth) {
1404
        ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1424
        if (verify == SSL_CVERIFY_OPTIONAL_NO_VERIFY) {
1405
                      "Certificate Verification: Certificate Chain too long "
1425
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1406
                      "(chain has %d certificates, but maximum allowed are "
1426
                          "Certificate Verification: Certificate Chain too long "
1407
                      "only %d)",
1427
                          "(chain has %d certificates, but maximum allowed are "
1408
                      errdepth, depth);
1428
                          "only %d) but verification is configured as optional, "
1429
                          "therefore we're accepting the certificate",
1430
                          errdepth, depth);
1409
1431
1410
        errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1432
            sslconn->verify_info = "GENEROUS";
1411
        sslconn->verify_error = X509_verify_cert_error_string(errnum);
1433
            if (!sslconn->verify_error) {
1434
                errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1435
                sslconn->verify_error = X509_verify_cert_error_string(errnum);
1436
            }
1437
        }
1438
        else {
1439
            ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, conn,
1440
                          "Certificate Verification: Certificate Chain too long "
1441
                          "(chain has %d certificates, but maximum allowed are "
1442
                          "only %d)",
1443
                          errdepth, depth);
1412
1444
1413
        ok = FALSE;
1445
            errnum = X509_V_ERR_CERT_CHAIN_TOO_LONG;
1446
            sslconn->verify_error = X509_verify_cert_error_string(errnum);
1447
1448
            ok = FALSE;
1449
        }
1414
    }
1450
    }
1415
1451
1416
    /*
1452
    /*
(-)modules/ssl/mod_ssl.c (-2 / +2 lines)
Lines 131-137 Link Here
131
                "(`/path/to/file' - PEM encoded)")
131
                "(`/path/to/file' - PEM encoded)")
132
    SSL_CMD_ALL(VerifyClient, TAKE1,
132
    SSL_CMD_ALL(VerifyClient, TAKE1,
133
                "SSL Client verify type "
133
                "SSL Client verify type "
134
                "(`none', `optional', `require', `optional_no_ca')")
134
                "(`none', `optional_no_verify', `optional_no_ca', `optional', `require')")
135
    SSL_CMD_ALL(VerifyDepth, TAKE1,
135
    SSL_CMD_ALL(VerifyDepth, TAKE1,
136
                "SSL Client verify depth "
136
                "SSL Client verify depth "
137
                "(`N' - number of intermediate certificates)")
137
                "(`N' - number of intermediate certificates)")
Lines 164-170 Link Here
164
               "(`XXX:...:XXX' - see manual)")
164
               "(`XXX:...:XXX' - see manual)")
165
    SSL_CMD_SRV(ProxyVerify, TAKE1,
165
    SSL_CMD_SRV(ProxyVerify, TAKE1,
166
               "SSL Proxy: whether to verify the remote certificate "
166
               "SSL Proxy: whether to verify the remote certificate "
167
               "(`on' or `off')")
167
               "(`none', `optional_no_verify', `optional_no_ca', `optional', `require')")
168
    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
168
    SSL_CMD_SRV(ProxyVerifyDepth, TAKE1,
169
               "SSL Proxy: maximum certificate verification depth "
169
               "SSL Proxy: maximum certificate verification depth "
170
               "(`N' - number of intermediate certificates)")
170
               "(`N' - number of intermediate certificates)")

Return to bug 45922