Hi,
It could be better if we have a way to compare a certificate finger-print in
SSLRequire expressions... Is that possible?
Regards, Alf
Alfredo Raul Pena wrote:
> "Ralf S. Engelschall" wrote:
>
> > But when you use "SSLVerifyClient require" you cannot
> > provide any HTML pages, because the whole authentication stuff is
> done
> > _before_ any HTTP is spoken.
> > When you really want to display such a error page, you can do the
> following:
> > Instead of verifying the client certs by checking the signature of
> the issuer
> > implicitly through mod_ssl+OpenSSL you can verify it manually via an
> > SSLRequire expression. This is evaluated after the HTTP request
> happended, but
> > before the HTTP response is sent. When the SSLRequire expression
> expands to
> > false, a forbidden is forced by mod_ssl. And I'm sure you can
> intercept this
> > with an ErrorDocument.
>
> So I should change "require" for "optional_no_ca" and then check for my CA by
> name? I don't think that is as secure as requiring the client certificate be
> signed by my CA. Anyone could make a CA with the same name as mine...
>
> Regards, Alf
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
