Hi I've got a question regarding client authentication and self signed certificates: I want to force mod_ssl to ban self-signed certificates from being accepted as valid certificates. From what I remember, one suggestion was to use SSLRequire in order to compare the subject_dn to the issuers_dn. But this seems to be easily fakeable: 1. Create a self signed CA certificate 2. Create request using above's key, but different dn 3. Sign it Here's an example: -----BEGIN CERTIFICATE----- MIIEVzCCA8CgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBmjELMAkGA1UEBhMCQ0gx EDAOBgNVBAgTB1p1ZXJpY2gxEzARBgNVBAcTCkdsYXR0YnJ1Z2cxFDASBgNVBAoT C1RyaXZhZGlzIEFHMRIwEAYDVQQLEwllU2VjdXJpdHkxGTAXBgNVBAMTEEZha2Ug UGVyc29uYWwgQ0ExHzAdBgkqhkiG9w0BCQEWEHR3ZUB0cml2YWRpcy5jb20wHhcN MDEwMTEyMDk0NzU3WhcNMDIwMTEyMDk0NzU3WjCBljELMAkGA1UEBhMCQ0gxEDAO BgNVBAgTB1p1ZXJpY2gxEzARBgNVBAcTCkdsYXR0YnJ1Z2cxFDASBgNVBAoTC1Ry aXZhZGlzIEFHMRIwEAYDVQQLEwllU2VjdXJpdHkxFTATBgNVBAMTDFRob21hcyBX ZWJlcjEfMB0GCSqGSIb3DQEJARYQdHdlQHRyaXZhZGlzLmNvbTCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAxjqgeoNLo0U5y/KtzwhwkKdLW+bhxoN1PQbeBQk0 j0US/UYi/cjfNn2Na0gqp019vgCGfsE0yHVO9S6EFNgqAZ3hBXEgBGA5KSLwaIGN yDt9jOnPcGKxVIVJ3utX2al6JCcqhHyewljalnI8Yx+z0fpQXZKr0aRSad6DaswV cL8CAwEAAaOCAa0wggGpMAsGA1UdDwQEAwIFoDAdBgNVHQ4EFgQUKy9D/Nq8h6fx kC3juLJM5ngAl5owgccGA1UdIwSBvzCBvIAUKy9D/Nq8h6fxkC3juLJM5ngAl5qh gaCkgZ0wgZoxCzAJBgNVBAYTAkNIMRAwDgYDVQQIEwdadWVyaWNoMRMwEQYDVQQH EwpHbGF0dGJydWdnMRQwEgYDVQQKEwtUcml2YWRpcyBBRzESMBAGA1UECxMJZVNl Y3VyaXR5MRkwFwYDVQQDExBGYWtlIFBlcnNvbmFsIENBMR8wHQYJKoZIhvcNAQkB FhB0d2VAdHJpdmFkaXMuY29tggEAMBsGA1UdEQQUMBKBEHR3ZUB0cml2YWRpcy5j b20wGwYDVR0SBBQwEoEQdHdlQHRyaXZhZGlzLmNvbTARBglghkgBhvhCAQEEBAMC BkAwQAYJYIZIAYb4QgENBDMWMVRoaXMgY2VydGlmaWNhdGUgd2FzIGlzc3VlZCBi eSBUcml2YWRpcyBTZXJ2ZXIgQ0EwIgYJYIZIAYb4QgEDBBUWE2NnaS9ub24tQ0Et cmV2LmNnaT8wDQYJKoZIhvcNAQEEBQADgYEAPXMif43zU6Rm2BBuAaN93+SF+PaC +prYSwNlWZN7IrIUPciet2PLdW/kDwyHlQizv+uvzEWU40OHDK7lhme5xvPINRTQ tiQDZvOvzySF4UFybDMaq1Mwkmm1l5EcTLT4QlUb8sqvj6rchBIxIkwtzClEp/jK Wm5qz8WqY9uxbU8= -----END CERTIFICATE----- What can I do to disallow that? Bye Tim ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
