Plüm, Rüdiger, VF-Group wrote: > A question regarding your patch: > > @@ -427,29 +435,26 @@ int ssl_hook_Access(request_rec *r) > * function and not by OpenSSL internally (and our function is aware of > * both the per-server and per-directory contexts). So we cannot ask > * OpenSSL about the currently verify depth. Instead we remember it in > our > * ap_ctx attached to the SSL* of OpenSSL. We've to force the > * renegotiation if the reconfigured/new verify depth is less than the > * currently active/remembered verify depth (because this means more > * restriction on the certificate chain). > */ > - if ((sc->server->auth.verify_depth != UNSET) && > - (dc->nVerifyDepth == UNSET)) { > - /* apply per-vhost setting, if per-directory config is not set */ > - dc->nVerifyDepth = sc->server->auth.verify_depth; > - } > > Why don't you stick with the old approach of updating dc->nVerifyDepth and > using > this later on consistently
Because it was called "ugly" by Joe (and not threadsafe, possibly[?]): http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c20080604140111.ga12...@redhat.com%3e > (the same happens with other fields in the same way later on)? I don't think any of my changes to ssl_hook_Access adds an assignment to any dc->something parameter (or it would be an oversight/bug if it did). Kaspar