From 8391c6f3fe27e58aee67a1863284ab160ab430e9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Fri, 12 Apr 2024 10:32:14 +0200 Subject: Merging upstream version 2.4.59. Signed-off-by: Daniel Baumann --- docs/manual/mod/mod_ssl.html.en | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) (limited to 'docs/manual/mod/mod_ssl.html.en') diff --git a/docs/manual/mod/mod_ssl.html.en b/docs/manual/mod/mod_ssl.html.en index 5d6b416..ee92ffb 100644 --- a/docs/manual/mod/mod_ssl.html.en +++ b/docs/manual/mod/mod_ssl.html.en @@ -1896,7 +1896,8 @@ SSLProxyCACertificateFile.

Context:server config, virtual host, proxy section Status:Extension Module:mod_ssl -Compatibility:The proxy section context is allowed in httpd 2.4.30 and later +Compatibility:The proxy section context is allowed in httpd 2.4.30 and later
+Inclusion of non-leaf (CA) certificates is permitted only in httpd 2.4.59 and later.

This directive sets the all-in-one file where you keep the certificates and @@ -1905,13 +1906,10 @@ keys used for authentication of the proxy server to remote servers.

This referenced file is simply the concatenation of the various PEM-encoded certificate files. Use this directive alternatively or -additionally to SSLProxyMachineCertificatePath. The -referenced file can contain any number of pairs of client certificate -and associated private key. Each pair can be specified in either -(certificate, key) or (key, certificate) order. If the file includes -any non-leaf certificate, or any unmatched key and certificate pair, a -configuration error will be issued at startup. -

+additionally to SSLProxyMachineCertificatePath. The referenced file can contain any number of pairs of client +certificate and associated private key. Each pair can be specified in +either (certificate, key) or (key, certificate) order. Non-leaf (CA) certificates can +also be included in the file, and are treated as if configured with SSLProxyMachineCertificateChainFile.

When challenged to provide a client certificate by a remote server, the server should provide a list of acceptable certificate @@ -1922,7 +1920,7 @@ client cert/key. If a list of CA names is provided, to find a configured client cert which was issued either directly by that CA, or indirectly via any number of intermediary CA certificates. The chain of intermediate CA certificates can be built from those -configured with SSLProxyMachineCertificateChainFile. The +included in the file, or configured with SSLProxyMachineCertificateChainFile. The first configured matching certificate will then be supplied in response to the challenge.

@@ -2879,7 +2877,7 @@ var comments_identifier = 'http://httpd.apache.org/docs/2.4/mod/mod_ssl.html'; } })(window, document); //-->