On Fri, Dec 10, 2004 at 01:24:29PM -0500, TAYLOR, TIM (CONTRACTOR) wrote: > I have attached three patch versions. Writing the code is not nearly > as difficult as figuring out the best way to go.
[EMAIL PROTECTED] is not the best place to discuss this; I'm following up to [EMAIL PROTECTED] (An alternative way to get patches attention is to put them in bugzilla, http://issues.apache.org/bugzilla/) ... > Patch 3 (new config) source: ssl_engine_init.c, ssl_engine_kernel.c, > ssl_engine_config.c, mod_ssl.c, mod_ssl.h Two new directives, > SSLCADNRequestFile and SSLCADNRequestPath. I figured I might as well > give the same flexibility. If the new directives are not specified old > behavior continues. If either or both SSLCADNRequest* is configured, > they would configure the client_CA stack ONLY and any > SSLCACertificate* directive(s) will be used for the cert store load > ONLY. The benefit here is complete downward compatibility. No > requirement to use the new directives and no change in meaning for the > use of existing directives (except when new is used too). Neither of the backwards-incompatible solutions look particularly desirable. I can't think of a better way than Patch 3 really. It would be nice if there was some way of just picking out the DNs by name from the already configured SSLCACertificate* chain e.g. SSLCADNRequest /C=US/O=Blah/OU=... to avoid the chance of having a mismatch where the client is sent the wrong DNS, but you get into syntax issues and I don't know if OpenSSL even supports parsing dnames like that. I don't think there's any need for the SSLCAProxyDN* you added in your patch, there is no equivalent point where the client sends DNs, but otherwise it looks OK. Could you resubmit the patch without that bit? Regards, joe
