This would be useful for testing or internal use, but granted, it would be
seriously dodgy in a production machine.
John
-----Original Message-----
From: Gunther Schadow [mailto:[EMAIL PROTECTED]]
Sent: 20 March 2000 20:56
To: [EMAIL PROTECTED]
Subject: Issue: unresonable SSLVerifyDepth policy!
Hi,
I have an issue with the policy one can set with SSLVerifyDepth. The
documentation says that "a depth of 0 means that self-signed client
certs are accepted only, the default depth of 1 menas the client cert
can be self-signed or has to be signed by a CA which is directly known
to the server."
I mean, why would a serious server want to trust self-signed client
certificates? It seems like you can't say: "trust only those client
certs that are directly signed by a CA in the server's list of
trusted CAs." I would suppose, however, that this is the one default
mode that most sites will want to choose.
How is that done?
regards
-Gunther
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
