"Ralf S. Engelschall" wrote:
> But when you use "SSLVerifyClient require" you cannot
> provide any HTML pages, because the whole authentication stuff is
done
> _before_ any HTTP is spoken.
> When you really want to display such a error page, you can do the
following:
> Instead of verifying the client certs by checking the signature of
the issuer
> implicitly through mod_ssl+OpenSSL you can verify it manually via an
> SSLRequire expression. This is evaluated after the HTTP request
happended, but
> before the HTTP response is sent. When the SSLRequire expression
expands to
> false, a forbidden is forced by mod_ssl. And I'm sure you can
intercept this
> with an ErrorDocument.
So I should change "require" for "optional_no_ca" and then check for my CA by
name? I don't think that is as secure as requiring the client certificate be
signed by my CA. Anyone could make a CA with the same name as mine...
Regards, Alf
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
