Commit 19689a2d authored by Leigh B Stoller's avatar Leigh B Stoller

Update comment about client verification.

parent 7779ffa7
......@@ -1328,7 +1328,14 @@ CustomLog @prefix@/log/apache_ssl_request_log \
SSLCACertificateFile @prefix@/etc/genica.bundle
# Another bundle of CRLs.
SSLCARevocationFile @prefix@/etc/genicrl.bundle
# Must use optional to avoid renegotiation, which is broken.
#
# THIS HAS TO BE optional! Why? Cause recent security patches disables SSL
# renegotiation, which is needed when a subdir turns on ssl client
# verification (as we used to). Now, we set it to "optional",
# which avoids the renegotiation problem. The backend scripts MUST
# check their environment to ensure they are always invoked by a client
# supplying a verifiable certificate.
#
SSLVerifyClient optional
# Reject the unencrypted certs that all users get.
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment