I've found myself in the same quandary as this guy [1]. My CA structure is as follows.
- RootCA - SubCA1 - SubCA1 Server - SubCA1 Clients - SubCA2 - SubCA2 Server - SubCA2 Clients I have two HTTPS vhost containers. One which has a server certificate issued by SubCA1 and should only accept client certificates from SubCA1. Likewise, another for SubCA2, which should only accept client certificates from SubCA2. The only way I seem to reliably [2] allow IE and Firefox clients to connect to their respective servers is, in the instance of the first vhost, to reference RootCA + SubCA1 in SSLCACertificateFile and set SSLCACertificateFile to 2. However in the following scenarios clients with SubCA2 certificates are also able to connect, which would appear to negate the crux of SSLVerifyClient. a) Using openssl s_client with a client certificate on SubCA2 and -CAfile referencing RootCA + SubCA2 succeeds. b) Using Firefox with a client certificate on SubCA2 to connect to the SubCA2 hostname and once loaded then changing to the SubCA1 hostname also succeeds. I see that there's been the addition of the SSLCADNRequestFile directive in Apache 2.2.x, but I don't see how this relates to this particular problem. I also understand that I could narrow the problem by using SSLRequire directives and the %{SSL_CLIENT_I_DN} variable, but this seems a hackish solution to something that should be handled by SSLCACertificateFile alone. Is this a bug? Any advice is appreciated. I can provide further details about my Apache configs or logs if required. Regards, [1] http://www.mail-archive.com/modssl-users@modssl.org/msg17546.html [2] Without, like the aforementioned poster, receiving "unable to get issuer certificate" or Verify Depth errors ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]