Plüm, Rüdiger, VF-Group wrote:
> A question regarding your patch:
>
> @@ -427,29 +435,26 @@ int ssl_hook_Access(request_rec *r)
> * function and not by OpenSSL internally (and our function is aware of
> * both the per-server and per-directory contexts). So we cannot ask
> * OpenSSL about the currently verify depth. Instead we remember it in
> our
> * ap_ctx attached to the SSL* of OpenSSL. We've to force the
> * renegotiation if the reconfigured/new verify depth is less than the
> * currently active/remembered verify depth (because this means more
> * restriction on the certificate chain).
> */
> - if ((sc->server->auth.verify_depth != UNSET) &&
> - (dc->nVerifyDepth == UNSET)) {
> - /* apply per-vhost setting, if per-directory config is not set */
> - dc->nVerifyDepth = sc->server->auth.verify_depth;
> - }
>
> Why don't you stick with the old approach of updating dc->nVerifyDepth and
> using
> this later on consistently
Because it was called "ugly" by Joe (and not threadsafe, possibly[?]):
http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/%3c20080604140111.ga12...@redhat.com%3e
> (the same happens with other fields in the same way later on)?
I don't think any of my changes to ssl_hook_Access adds an assignment
to any dc->something parameter (or it would be an oversight/bug if it did).
Kaspar
