On 9/26/2011 2:12 AM, Kaspar Brand wrote:
>
> Go ahead, I'll add my (nonbinding) vote afterwards :-)
>
> Just one (hopefully last) thing I overlooked before: the
> "ssl_log_ssl_error(SSLLOG_MARK, APLOG_EMERG, s);" line before the
> ssl_die() call apparently got lost somewhere on its way to the tree
On 25.9.11 18:54, Daniel Ruggeri wrote:
> On 9/23/2011 10:07 AM, Kaspar Brand wrote:
> Alternatively, we could adjust the callback and init functions to always
> build a chain (even if SSLProxyMachineCertificateChainFile is not set)
> and check "by chain" by doing the X509_NAME_cmp for each item in
On 9/23/2011 10:07 AM, Kaspar Brand wrote:
> On 22.09.2011 22:25, Daniel Ruggeri wrote:
>> trunk suggestion - if this jives, I'll commit later when I have a bit
> Looks good, just some nits:
>
>> for (n = 0; n < ncerts; n++) {
>> int i, res;
> res is no longer used, AFAICT
Correct - re
> -Original Message-
> From: Kaspar Brand
> Sent: Freitag, 23. September 2011 17:07
> To: dev@httpd.apache.org
> Subject: Re: svn commit: r1172010 -
> /httpd/httpd/trunk/modules/ssl/ssl_engine_init.c
>
> Maybe I'm somewhat confused by what "Apac
On 22.09.2011 22:25, Daniel Ruggeri wrote:
> On 9/22/2011 5:39 AM, Kaspar Brand wrote:
>> Having it in one patch seems fine to me, but in the end, it's the
>> PMC members who will vote on backport proposals (IIUC), so it's
>> their opinion which really matters.
>
> IINM, I believe we as committers
On 9/22/2011 5:39 AM, Kaspar Brand wrote:
> Having it in one patch seems fine to me, but in the end, it's the
> PMC members who will vote on backport proposals (IIUC), so it's
> their opinion which really matters.
IINM, I believe we as committers all have a vote... that said, I hope
you would drop
On 21.09.2011 19:40, Daniel Ruggeri wrote:
> Also - any opposition to including SSL_X509_NAME_to_string as part of
> the backport proposal? I would like to keep the patches consistent. If
> not, would you prefer me to roll it into the
> SSLProxyMachineCertificateChainFile patch or propose it separa
On 9/19/2011 3:28 PM, Kaspar Brand wrote:
> IMO, you can always drop the first element of the chain, since you only
> want to remember CA certs in pkp->ca_certs.
>
OK, cool - I was unsure if the chain would ALWAYS contain the cert in
cases of validation OK or error. I'll make this quick update.
>
On 17.09.2011 18:25, drugg...@apache.org wrote:
> +if (res == 1) {
> +/* Removing the client cert if verification is OK
> + * could save a loop when choosing which cert to send
> + * when more than one is available */
> +/* XXX: This is not ne
On 9/19/2011 12:55 AM, Ruediger Pluem wrote:
> On 09/17/2011 06:25 PM, drugg...@apache.org wrote:
>> > Author: druggeri
>> > Date: Sat Sep 17 16:25:17 2011
>> > New Revision: 1172010
>> >
>> > URL: http://svn.apache.org/viewvc?rev=1172010&view=rev
>> > Log:
>> > Log better information and prevent
On 09/17/2011 06:25 PM, drugg...@apache.org wrote:
> Author: druggeri
> Date: Sat Sep 17 16:25:17 2011
> New Revision: 1172010
>
> URL: http://svn.apache.org/viewvc?rev=1172010&view=rev
> Log:
> Log better information and prevent leak of an X509 structure for
> SSLProxyMachineCertificateChainFi
11 matches
Mail list logo
