"Ralf S. Engelschall" wrote:
>
> On Mon, Mar 08, 1999, Marc Jadoul wrote:
>
> > Is mod-ssl able to do client authentication and require that the client
> > has a certificate signed by a specific subordinate CA ?
> >
> > Of course it can be done if you combine SSLCACertificatePath with
> > SSLRequire.
> >
> > But, in TLS specification, when the server request the client
> > certificate, it is able to send the list of accepted issuer DN.
> > In Mod-ssl, if you configure SSLCACertificateFile, the top Root DN is
> > sended. Then in Netscape, if a client has a certificate signed by a
> > subordinate CA, it is (eventualy) automaticaly chosed even if this is a
> > wrong certificate.
> >
> > Am i missing something or is it right ?
> > Have you an idea about resolving this cleanly ?
>
> Actually the list of all DNs (not only root DNs) are sent to the client when
> they can be found under SSLCACertificatePath. The same should apply to
> SSLCACertificateFile. OTOH sending the root DN should be enough for Netscape,
> isn't it? Have you really tested to configure all subordinate CAs inside
> SSLCACertificate{File,Path} and discovered that only the root CA's DN is sent?
No i didn't. What i mean is different:
As i understand it, the top root should be sent only if ALL certificate
signed under this top Root are accepted. If we accept only one
Subordinate CA (Class 3 CA) only the DN of this CA should be sent.
Actually it is not possible to get this with mod-ssl because if we put
only a subordinate CA in the list it has to be self signed otherwise no
client is accepted.
Marc
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
