-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Joe Orton wrote:
| On Fri, Jan 28, 2005 at 02:40:38PM -0000, [EMAIL PROTECTED] wrote:
|
|> [...]
|> + SSLVerifyClient require +
|> SSLRequire %{SSL_CLIENT_VERIFY} eq "SUCCESS" [...]
|
|
| Did you mean SSLVerifyClient optional? Otherwise the SSLRequire is
| surely redundant?
Actually, "SSLVerifyClient" means whether to *attempt* to validate the
peer certificate by sending appropriate handshake messages at the SSL
level, renegotiating mid-HTTP-request if need be e.g. because we are
in a <Location> directive.
So Geoff is saying, "you must try" and at the next line "you must also
succeed". With SSLVerifyClient optional, the semantics would be
instead "Don't bother to insist for a certificate", "but if user
forgot it, give him flaming death". Considered inappropriate :-)
- --
Dominique QUATRAVAUX IngÃnieur senior
01 44 42 00 08 IDEALX
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFB+mt3MJAKAU3mjcsRAoKlAJ9RjjRgWAYaiIzV55v75mI58MqGuwCgtJLc
JDNVhbtok5mGUXlTIuwn/RQ=
=UbWC
-----END PGP SIGNATURE-----
