]> git.ipfire.org Git - thirdparty/apache/httpd.git/commitdiff
* Set SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN to on by default.
authorRuediger Pluem <rpluem@apache.org>
Wed, 29 Apr 2009 16:18:21 +0000 (16:18 +0000)
committerRuediger Pluem <rpluem@apache.org>
Wed, 29 Apr 2009 16:18:21 +0000 (16:18 +0000)
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@769815 13f79535-47bb-0310-9956-ffa450edef68

docs/manual/mod/mod_ssl.xml
modules/ssl/ssl_engine_io.c

index dfaea3b865e7827e1524583408f2cb0b0bafb084..b059e731e47e8047dafbe762350567fe14f73fa7 100644 (file)
@@ -1537,7 +1537,7 @@ SSLProxyVerifyDepth 10
 <description>Whether to check if remote server certificate is expired
 </description>
 <syntax>SSLProxyCheckPeerExpire on|off</syntax>
-<default>SSLProxyCheckPeerExpire off</default>
+<default>SSLProxyCheckPeerExpire on</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 
@@ -1558,7 +1558,7 @@ SSLProxyCheckPeerExpire on
 <description>Whether to check the remote server certificates CN field
 </description>
 <syntax>SSLProxyCheckPeerCN on|off</syntax>
-<default>SSLProxyCheckPeerCN off</default>
+<default>SSLProxyCheckPeerCN on</default>
 <contextlist><context>server config</context>
 <context>virtual host</context></contextlist>
 
index 0160554638cff12e6c89c748ff9bfa14b9be8fd0..5672e1cf570aca6a819bed292a5b6af69fb0f48b 100644 (file)
@@ -1073,7 +1073,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
             return MODSSL_ERROR_BAD_GATEWAY;
         }
 
-        if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) {
+        if (sc->proxy_ssl_check_peer_expire != SSL_ENABLED_FALSE) {
             cert = SSL_get_peer_certificate(filter_ctx->pssl);
             if (!cert
                 || (X509_cmp_current_time(
@@ -1091,7 +1091,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
             }
             X509_free(cert);
         }
-        if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE)
+        if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE)
             && ((hostname_note =
                  apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) {
             const char *hostname;