On Fri, Oct 22, 2004, TAYLOR, TIM (CONTRACTOR) wrote: > I have a situation where my trusted root has two different kinds of intermediate CAs > (identity and email, say) that issue identity and email signing certificates, > respectively. I would like to only allow users to authenticate to my Apache web > servers with the identity certificate. > > The certificateRequest message, I thought, allows me to control not just what type > (RSA-sign, Key exch, et al) of certificates are submitted but also what intermediate > CAs are acceptable. I have gotten this to work in the past and now it has > mysteriously stopped working. Using Apache V2.0.5 and OpenSSL 0.9.7d. Without this > discrimination at the server users who have both identity and email certs get > prompted to pick from the two since they both are RSA-sign certs issued by the same > trusted root CA. Both the TLS1 RFC2246 and SSLv3 Draft seem to say this is > controllable. What have you out there found/implemented? > > What conditions and/or versions would allow me to indicate to the user browser that > only the identity CA is acceptable? > > Excerpt from my httpd.conf > SSLEngine on > SSLSessionCacheTimeout 3600 > SSLCACertificatePath /admin/users/fin23117/apache2/conf/CAcerts/ > SSLCertificateFile /admin/users/fin23117/apache2/conf/engsslcert.pem > SSLCertificateKeyFile /admin/users/fin23117/apache2/conf/engsslkey.pem > SSLProtocol All -SSLv2 > SSLCipherSuite RSA:!NULL:!EXP:+HIGH:+MEDIUM:-LOW > SSLOptions +StdEnvVars +ExportCertData > SSLVerifyClient require > SSLVerifyDepth 2 > SSLOptions +FakeBasicAuth +StdEnvVars +ExportCertData > > Contents of CAcerts directory > <hash.0> symbolic links to pem encoded identity CA certificates > <hash.0> symbolic link to pem encoded root CA certificate > > I have debug level logging on and I can see where my SSLCACertificatePath certs are > loaded into the config successfully. > > My users don't know the difference between certificates (let alone what a > certificate is) and I don't have time to explain to the thousands of them which one > to pick. Conversely, if I can guarantee that only the identity cert is authenticated > to my site I will only need to support (the smaller) half of the CRLs I would need > to otherwise. >
Well this could have been controlled in the certificates themselves by including and extended key usage extension to allow client authentication or email protection. Then a savvy browser wouldn't present the wrong certificate type. As things stand you may get the same effect by just including one intermediate certificate in the certificate request message. If you include the root CA then this will mean a browser could present either. You can use the s_client utility in OpenSSL to check the list of acceptable CA names the server sends then tweak the configuration until it gives appropriate values. Steve. -- Dr Stephen N. Henson. Email, S/MIME and PGP keys: see homepage OpenSSL project core developer and freelance consultant. Funding needed! Details on homepage. Homepage: http://www.drh-consultancy.demon.co.uk ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
