From: Ruediger Pluem Date: Wed, 29 Apr 2009 16:18:21 +0000 (+0000) Subject: * Set SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN to on by default. X-Git-Tag: 2.3.3~683 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=da160114d6d9be0c6e23e2f809e8293c5bd210bd;p=thirdparty%2Fapache%2Fhttpd.git * Set SSLProxyCheckPeerExpire and SSLProxyCheckPeerCN to on by default. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@769815 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index dfaea3b865e..b059e731e47 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -1537,7 +1537,7 @@ SSLProxyVerifyDepth 10 Whether to check if remote server certificate is expired SSLProxyCheckPeerExpire on|off -SSLProxyCheckPeerExpire off +SSLProxyCheckPeerExpire on server config virtual host @@ -1558,7 +1558,7 @@ SSLProxyCheckPeerExpire on Whether to check the remote server certificates CN field SSLProxyCheckPeerCN on|off -SSLProxyCheckPeerCN off +SSLProxyCheckPeerCN on server config virtual host diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c index 0160554638c..5672e1cf570 100644 --- a/modules/ssl/ssl_engine_io.c +++ b/modules/ssl/ssl_engine_io.c @@ -1073,7 +1073,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) return MODSSL_ERROR_BAD_GATEWAY; } - if (sc->proxy_ssl_check_peer_expire == SSL_ENABLED_TRUE) { + if (sc->proxy_ssl_check_peer_expire != SSL_ENABLED_FALSE) { cert = SSL_get_peer_certificate(filter_ctx->pssl); if (!cert || (X509_cmp_current_time( @@ -1091,7 +1091,7 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) } X509_free(cert); } - if ((sc->proxy_ssl_check_peer_cn == SSL_ENABLED_TRUE) + if ((sc->proxy_ssl_check_peer_cn != SSL_ENABLED_FALSE) && ((hostname_note = apr_table_get(c->notes, "proxy-request-hostname")) != NULL)) { const char *hostname;