Do you mean you want to use multiple CRLs?
在 2008-06-10二的 12:23 -0400,Sean R. McNamara写道: > Hi, > > I posted a message about this last week but didn't hear anything back > from anyone. As of OS X 10.5.3, Apple changed the way client certs are > released. In the case that a [apache] server is configured with > > SSLVerifyClient optional > > you must specify an option on your client cert in the keychain to allow that > cert to be released to that particular requesting server. (in this > case, our CAS server) > The problem is you cannot specify wildcards in the option, and it considers > URL parameters as part of the fixed URL. > > The end result is that CAS x509 auth breaks unless you were to explicitly > specify every single possible entry point (i.e. every possible value > of the 'service' parameter), which isn't pretty for larger deployments. > > Of course you can set SSLVerifyClient required, but this precludes anyone > from doing any other form of authentication if they don't have a > client cert since the SSL Handshake will fail and then, game over. > > It's a catch 22 either way. Has anyone else encountered this problem? If > so, has anyone come up with any possible solutions? > > I appreciate any help or advice that could be provided.. > > Thanks.. > > ..Sean. > > _______________________________________________ > Yale CAS mailing list > [email protected] > http://tp.its.yale.edu/mailman/listinfo/cas _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
