This looks like the resulting patch. Wordsmithing the docs changes today...
On Wed, Jun 1, 2016 at 1:50 PM, Ruediger Pluem <rpl...@apache.org> wrote:
>
> On 06/01/2016 05:45 PM, William A Rowe Jr wrote:
> >
> > CheckPeerName CheckPeerCN
> > on {ignored} CheckPeerName verification
> > unset unset CheckPeerName verification
> > unset on CheckPeerName verification?
> > unset off no verification
> > off on *CheckPeerCN* verification
> > off unset | off no verification
> >
> > Because CheckPeerName is a superset of the CheckPeerCN functionality,
> > I don't think there is any harm is using CheckPeerName in this case.
> >
>
> I think CheckPeerName is ok in this case.
>
> Regards
>
> RĂ¼diger
>
Index: ssl_engine_io.c
===================================================================
--- ssl_engine_io.c (revision 1746587)
+++ ssl_engine_io.c (working copy)
@@ -1189,6 +1189,8 @@
}
}
if ((sc->proxy_ssl_check_peer_name != SSL_ENABLED_FALSE) &&
+ ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) ||
+ (sc->proxy_ssl_check_peer_name == SSL_ENABLED_TRUE)) &&
hostname_note) {
apr_table_unset(c->notes, "proxy-request-hostname");
if (!cert
@@ -1200,7 +1202,7 @@
"for hostname %s", hostname_note);
}
}
- else if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) &&
+ else if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) &&
hostname_note) {
const char *hostname;
int match = 0;
