https://issues.apache.org/bugzilla/show_bug.cgi?id=50812
--- Comment #2 from [email protected] 2011-05-10 06:57:16 UTC --- @Joe Orton: The TLS specification indicates that it's acceptable for the server to simply send a root CA and expect a client CA falling under that root. See http://tools.ietf.org/html/rfc5246 Section 7.4.4, in reference to the list of CA names in the client certificate request, provides that "These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used to describe known roots as well as a desired authorization space." Section 7.4.6, in reference to the client certificate message, provides that "This message conveys the client's certificate chain to the server" and "If the certificate_authorities list in the certificate request message was non-empty, one of the certificates in the certificate chain SHOULD be issued by one of the listed CAs." These references strongly suggest that the list of acceptable CAs does not need to include every level of the certificate chain; it can simply include the root and let the client determine which certificates ultimately come under that root. If searching multiple levels of the certificate chain is too complex, then I recommend as a minimum that the fallback action, when 'ssl_callback_proxy_cert' does not find a client certificate matching any on the acceptable CA list, should be to send the first configured client certificate, as if the acceptable CA list were empty. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
