> -----Ursprüngliche Nachricht-----
> Von: Kaspar Brand
> Gesendet: Donnerstag, 2. April 2009 07:15
> An: dev@httpd.apache.org
> Betreff: Re: SNI in 2.2.x (Re: Time for 2.2.10?)
>
> Plüm, Rüdiger, VF-Group wrote:
> > A question regarding your patch:
> >
> > @@ -427,29 +435,26 @@ int ssl_hook_Access(request_rec *r)
> > * function and not by OpenSSL internally (and our
> function is aware of
> > * both the per-server and per-directory contexts). So
> we cannot ask
> > * OpenSSL about the currently verify depth. Instead
> we remember it in our
> > * ap_ctx attached to the SSL* of OpenSSL. We've to force the
> > * renegotiation if the reconfigured/new verify depth
> is less than the
> > * currently active/remembered verify depth (because
> this means more
> > * restriction on the certificate chain).
> > */
> > - if ((sc->server->auth.verify_depth != UNSET) &&
> > - (dc->nVerifyDepth == UNSET)) {
> > - /* apply per-vhost setting, if per-directory
> config is not set */
> > - dc->nVerifyDepth = sc->server->auth.verify_depth;
> > - }
> >
> > Why don't you stick with the old approach of updating
> dc->nVerifyDepth and using
> > this later on consistently
>
> Because it was called "ugly" by Joe (and not threadsafe, possibly[?]):
>
> http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox
> /%3c20080604140111.ga12...@redhat.com%3e
>
Thanks for the pointer.
Going through the follow ups the following question remains for me:
Where did you address to adjust the
SSLCARevocation{File,Path} and
SSLOCSP{Enable,DefaultResponder,OverrideResponder}
settings in the case of an non SNI client connecting to the non default vhost?
> > (the same happens with other fields in the same way later on)?
>
> I don't think any of my changes to ssl_hook_Access adds an assignment
> to any dc->something parameter (or it would be an
> oversight/bug if it did).
This was a misunderstanding. I wanted to say that you followed this
design pattern throughout your patch and changed the logic from
assigning to dc->something to not assigning but to check the
server config separately. So your patch is consistent regarding this.
Regards
Rüdiger
