From: Eric Covener <covener@apache.org>
Date: Sat, 17 Sep 2016 13:10:06 +0000 (+0000)
Subject: Merge r1761215 from trunk:
X-Git-Tag: 2.4.24~245
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d551568bdf515c1645be5b890a24a4528627f324;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1761215 from trunk:

feedback in   http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#comment_5818

This added paragraph about optional and optional_no_ca isn't helpful.

At the TLS layer, the challenge for otpional and required are no different.

Move the caution about _no_ca up into where the option is defined
and reword.





git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1761217 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index 6495ea0d444..596876c0056 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -1292,13 +1292,9 @@ The following levels are available for <em>level</em>:</p>
      the client <em>has to</em> present a valid Certificate</li>
 <li><strong>optional_no_ca</strong>:
      the client may present a valid Certificate<br />
-     but it need not to be (successfully) verifiable.</li>
+     but it need not to be (successfully) verifiable. This option
+     cannot be relied upon for client authentication.  </li>
 </ul>
-<p>In practice only levels <strong>none</strong> and
-<strong>require</strong> are really interesting, because level
-<strong>optional</strong> doesn't work with all browsers and level
-<strong>optional_no_ca</strong> is actually against the idea of
-authentication (but can be used to establish SSL test pages, etc.)</p>
 <example><title>Example</title>
 <highlight language="config">
 SSLVerifyClient require