> > Questions :
> >
> > 1) It's not clear is if SSLCACertificatePath must point to a
> directory
> > with client certs or a directory with well-known CA certs (ie
> > Thawte/Verisign..).
>
> A dir with known CA certs.
>
[GOMEZ Henri] No generated client certificates here ? Where to
put them so ? I'm worried about CRL task.
Example: I generate a cert for a client but later I want to
resiliate its cert.
How can mod_ssl determine that the presented certificate is no
more valid ????
With verifydepthlevel set to 1 we can only be sure the client
cert was generated with our CA.
> > 2) Did mod_ssl need hash filename in CAPath since it parse all files
> in
> > the directory ???
>
> It parses the files to construct the CA _list_, but
> OpenSSL later needs the hash links to _access_ the files.
>
[GOMEZ Henri] But SSL_load_client_CA_file didn't allready load
the CA in mem ???
> > 3) When and where the client certificate verification is done in
> mod_ssl
> > ?
>
> Inside the function ssl_callback_SSLVerify
>
[GOMEZ Henri] From what I see in ssl_callback_SSLVerify code,
the ok flag seems to be set to 0 if something is wrong. mod_ssl only set
the flag to 1 in some circumstences. So who call ssl_callback_SSLVerify
callback function. Any lower function in SSLeay...
>
> > 4) I've got a WebServer certificate from Thawte. Can I use it or
> modify
> > it to sign my own certificates ???
> >
> > 1) Thawte
> > 2) my WWW certificate
> > 3) my clients certs
>
> You can't modify it after it's signed, of course. But you
> theoretically could use it to sign other certs, yes.
>
[GOMEZ Henri] Thawte didn't set www cert path to 0 to avoid it
from being a signing cert?
Thanks...
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
