Re: Confusion about SSLProxyCheckPeerName/CN

2016-06-02 Thread William A Rowe Jr
This looks like the resulting patch. Wordsmithing the docs changes today... On Wed, Jun 1, 2016 at 1:50 PM, Ruediger Pluem wrote: > > On 06/01/2016 05:45 PM, William A Rowe Jr wrote: > > > > CheckPeerName CheckPeerCN > >on {ignored}CheckPeerName

Re: Confusion about SSLProxyCheckPeerName/CN

2016-06-01 Thread Ruediger Pluem
On 06/01/2016 05:45 PM, William A Rowe Jr wrote: > > > On Wed, Jun 1, 2016 at 9:46 AM, Ruediger Pluem > wrote: > > > > On 06/01/2016 04:19 PM, William A Rowe Jr wrote: > > Correcting one typo, below... > > > > On Wed, Jun 1,

Re: Confusion about SSLProxyCheckPeerName/CN

2016-06-01 Thread William A Rowe Jr
On Wed, Jun 1, 2016 at 9:46 AM, Ruediger Pluem wrote: > > > On 06/01/2016 04:19 PM, William A Rowe Jr wrote: > > Correcting one typo, below... > > > > On Wed, Jun 1, 2016 at 9:19 AM, William A Rowe Jr > wrote: > > > > > >

Re: Confusion about SSLProxyCheckPeerName/CN

2016-06-01 Thread Ruediger Pluem
On 06/01/2016 04:19 PM, William A Rowe Jr wrote: > Correcting one typo, below... > > On Wed, Jun 1, 2016 at 9:19 AM, William A Rowe Jr > wrote: > > > Proposal... > > CheckPeerName CheckPeerCN > unset | onunset | on

Re: Confusion about SSLProxyCheckPeerName/CN

2016-06-01 Thread William A Rowe Jr
Correcting one typo, below... On Wed, Jun 1, 2016 at 9:19 AM, William A Rowe Jr wrote: > > Proposal... > > CheckPeerName CheckPeerCN > unset | onunset | onCheckPeerName verification > off on*CheckPeerCN* verification > off unset |

Re: Confusion about SSLProxyCheckPeerName/CN

2016-06-01 Thread William A Rowe Jr
On Tue, May 31, 2016 at 1:15 PM, Ruediger Pluem wrote: > > On 05/31/2016 06:37 PM, William A Rowe Jr wrote: > > It seems the behavior introduced in 2.4.5 is causing a lot > > of confusion for users attempting to disable peer checking. > > > > Right now, nothing needs to be

Re: Confusion about SSLProxyCheckPeerName/CN

2016-05-31 Thread William A Rowe Jr
On Tue, May 31, 2016 at 11:37 AM, William A Rowe Jr wrote: > It seems the behavior introduced in 2.4.5 is causing a lot > of confusion for users attempting to disable peer checking. > > I would suggest that CheckPeerCN should NOT default to "on" any longer. > The only valid

Re: Confusion about SSLProxyCheckPeerName/CN

2016-05-31 Thread Ruediger Pluem
On 05/31/2016 06:37 PM, William A Rowe Jr wrote: > It seems the behavior introduced in 2.4.5 is causing a lot > of confusion for users attempting to disable peer checking. > > Right now, nothing needs to be done to do deep inspection > (altsubjectname plus common name). Neither directive is

Confusion about SSLProxyCheckPeerName/CN

2016-05-31 Thread William A Rowe Jr
It seems the behavior introduced in 2.4.5 is causing a lot of confusion for users attempting to disable peer checking. Right now, nothing needs to be done to do deep inspection (altsubjectname plus common name). Neither directive is required, both default to on. Disabling checking is a pain in