Op 21 jul. 2013, om 20:58 heeft Graham Leggett <minf...@sharp.fm> het volgende geschreven:
> On 17 Jul 2013, at 4:44 PM, Eric Covener <cove...@gmail.com> wrote: > >> All of the client-cert-as-basic-auth-substitute mechanisms we have >> require you to check the dummy password with a "real" >> authbasicprovider. That is not quite the case; you can avoid this with Anon and Authoritative; but conceptually that is as 'unclean'. .. >> I think I need this to deprecate a proprietary module, and I don't >> want to replace it with a proprietary (albeit simple) >> AuthBasicProvider. > > +1. > > I would add this to mod_ssl though, rather than trying to make something like > mod_auth_basic aware of this. Agreed - this is something that should sit with mod_ssl - or be a side module to mod_ssl. Fixing/adding this would probably mean also addressing some of the CA chain lax-ness we currently have - and have three (four) very distinct chains; one for the server itself & intermediates; one for the proxy and what it wants it accepts and one for the proxy it identifies as; and one for the client and what intermediates it recognises. That may not be quite backward compatible - but IMHO worth breaking a few configs. Dw.
