> > > > I want to force mod_ssl to ban self-signed certificates from being > > accepted as valid certificates. From what I remember, one suggestion was > > to use SSLRequire in order to compare the subject_dn to the issuers_dn. > > But this seems to be easily fakeable: > > > > 1. Create a self signed CA certificate > > 2. Create request using above's key, but different dn > > 3. Sign it > > I don't understand what you want to achieve: > - You want to enforce people to present a _valid_ certificate: > SSLVerifyClient require > The client must present a certificate _and_ it is tested against the > trusted CAs you configured with the SSLCACertificateFile (or ...Path) > option. OR it is self signed, as far as I understand SSLVerify Client and SSLVerifyDepth. Did I miss something (from the online manual of SSLVerifyDepth) ? ... A depth of 0 means that self-signed client certificates are accepted only, the default depth of 1 means the client certificate can be self-signed or has to be signed by a CA which is directly known to the server (i.e. the CA's certificate is under SSLCACertificatePath), etc. ... > For whatever else you are doing, it is fakeable. If you don't like > self signed certificates, I simply create my own CA and issue my > client certificate myself. It is not more to be trusted than a self > signed certificate. Well, that depends solely on your CA policy. It certainly CAN be made a lot more trusted. A self signed certificate can't be trusted at all. > The authenticity of a certificate can only be guaranteed, if you have > additional trustworthy information in form of the trusted CAs. Exactly. That's what we have and we want to only allow certificates from this CA and not self signed ones at well. Bye Tim ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
