On Fri, Jan 12, 2001 at 11:33:30AM +0100, Tim Tassonis wrote:
> Hi
>
> I've got a question regarding client authentication and self signed
> certificates:
>
> I want to force mod_ssl to ban self-signed certificates from being
> accepted as valid certificates. From what I remember, one suggestion was
> to use SSLRequire in order to compare the subject_dn to the issuers_dn.
> But this seems to be easily fakeable:
>
> 1. Create a self signed CA certificate
> 2. Create request using above's key, but different dn
> 3. Sign it
I don't understand what you want to achieve:
- You want to enforce people to present a _valid_ certificate:
SSLVerifyClient require
The client must present a certificate _and_ it is tested against the
trusted CAs you configured with the SSLCACertificateFile (or ...Path)
option.
For whatever else you are doing, it is fakeable. If you don't like
self signed certificates, I simply create my own CA and issue my
client certificate myself. It is not more to be trusted than a self
signed certificate.
The authenticity of a certificate can only be guaranteed, if you have
additional trustworthy information in form of the trusted CAs.
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
