Re: Confusion about SSLProxyCheckPeerName/CN

William A Rowe Jr Wed, 01 Jun 2016 08:45:25 -0700

On Wed, Jun 1, 2016 at 9:46 AM, Ruediger Pluem <rpl...@apache.org> wrote:


>
>
> On 06/01/2016 04:19 PM, William A Rowe Jr wrote:
> > Correcting one typo, below...
> >
> > On Wed, Jun 1, 2016 at 9:19 AM, William A Rowe Jr <wr...@rowe-clan.net
> <mailto:wr...@rowe-clan.net>> wrote:
> >
> >
> >     Proposal...
> >
> >     CheckPeerName  CheckPeerCN
> >      unset | on    unset | on    CheckPeerName verification
> >          off           on        *CheckPeerCN* verification
> >          off       unset | off   no verification
> >      unset | off       off       no verification
> >
> >     WDYT?
> >
> >
> >
>
> In general yes plus
>
> CheckPeerName  CheckPeerCN
>       on    unset | off    CheckPeerName verification
>

What about one more exceptional case... where the

CheckPeerCN On

is the only directive?  Do we still want to enable CheckPeerName by default?

  CheckPeerName  CheckPeerCN
       on         {ignored}    CheckPeerName verification
       unset         unset     CheckPeerName verification
       unset         on        CheckPeerName or CheckPeerCN verification?
       unset         off       no verification
       off           on        *CheckPeerCN* verification
       off       unset | off   no verification

Because CheckPeerName is a superset of the CheckPeerCN functionality,
I don't think there is any harm is using CheckPeerName in this case.

Re: Confusion about SSLProxyCheckPeerName/CN

Reply via email to