|Summary:||SSL Client Verification Errors|
|Component:||mod_ssl||Assignee:||Apache HTTPD Bugs Mailing List <bugs>|
|Attachments:||Patch to make optional_no_ca a little more optional|
Description leanmeandonothingmachine 2009-03-23 17:25:48 UTC
Right now when you use SSLVerifyClient optional_no_ca, and the client presents a certificate that is either not ready, expired, or revoked then the handshake fails and the connection is cut. Most of the time it's not really clear to the client why that happened. I'd like to make optional_no_ca a debug sort of option where when one of those problems are encountered, rather than cutting the connection it would continue to serve the request but the SSL_CLIENT_VERIFY would of course be FAILED.
Comment 1 leanmeandonothingmachine 2009-03-23 17:27:08 UTC
Created attachment 23403 [details] Patch to make optional_no_ca a little more optional