David P. Mott wrote: > > I don't know why I didn't find this in the dozens of Google searches > that I did *before* I posted my question, but these seem to be what I'm > looking for: > > SSLCADNRequestFile / SSLCADNRequestPath
Please be aware that Apache/ModSSL uses den SSLCADNRequest- File / SSLCADNRequestPath only for submitting a list of accepted CAs to the client. It does not use this for verification. So: Usually a client will send the certificate of the requested subCA (even if he has client certificates from both CAs), but this does not mean that a malicious client could not send a client certificate of the other CA. This certificate would be accepted then (because evaluation of the chain is still done against the certificates from SSLCACertificateFile. There is no check against the certificates from SSLCADNRequestFile... Regards, Olaf -- Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET Senior Researcher, www.intrusion-lab.net PKI - and IDS - Services [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
