Roger that, no xreflabels ;-). Attached is a log of the IRC
conversation between Jamie and myself about the SSLOptions.
The highlights:
+CompatEnvVars) should not be used:
Syntax error on line 11 of
/etc/apache2/sites-enabled/strandboge.com_ssl:
SSLOptions: Illegal option 'CompatEnvVars'
+StrictRequire) should definitely be there:
it makes sure that when using SSLRequireSSL
that access is forbidden
(that is the intuitive use of SSLRequireSSL)
+FakeBasicAuth) I am not sure FakeBasicAuth is a good default:
it allows using a client cert instead of
basic authentication if the client has a valid one
that is not an intuitive use IMO and would be
site-specific
+ExportCertData) seems harmless enough-- exports ssl environment
variables so cgi can access them
it too seems site-specific
so really, all can go with no problems, but
I really think +StrictRequire should stay
Also, here is a link to the Apache doc describing the options:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#ssloptions
** Attachment added: "IRC log"
http://launchpadlibrarian.net/11134790/jdstrand_apache_feedback
--
mod_ssl should not use +CompatEnvVars
https://bugs.launchpad.net/bugs/179959
You received this bug notification because you are a member of Ubuntu
Bugs, which is the bug contact for Ubuntu.
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
