Gastón Christen wrote:
> Hi, I'm new in the apache/openssl world and I have a question (maybe it's me
> but I don't understand something about client certificates authentication in
> Apache)
> I have Apache 2.40 with openssl 0.9.6g running in my win32 machine without a
> problem.
> I want to establish an extranet, and let users authenticate with client
> certificates. I set up my config files (httpd.conf & ssl.conf) to do this
> and is working fine.
>
> Here is my problem:
>
> If I trust in (for example) Verisign (putting their certificate in
> SSLCACertificate file) and filter the certificates I accept with some config
> lines like
>
> #SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> # and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> # and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
>
> How can I be sure that I'm letting in ONLY my extranet users and not anybody
> else with a certificate signed by Verisign whose DN match my filter?
>
> Is there any way to tell Apache to accept only certain certificates? (not
> necessarily signed by the same CA) (maybe a file with the certificates
> concatenated)
>
> My original intention was to tell my extranet users to request a certificate
> on their own (with the CA they like the most), and then use those
> certificates to let them in.
>
> Thanks in advance.
>
>
> Gaston Christen
> Internet Technology
> Siemens Itron Business Services
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
Hi Gaston,
try FakeBasicAuth in apache (see mod_ssl manual)
Kind regards,
Chris
--
Christian Pohl
»|secaron
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
