On Fri, Jan 16, 2009 at 8:48 AM, Peter Schober <[email protected]> wrote: > * Brian Mearns <[email protected]> [2009-01-16 14:40]: >> First, if I use SSLRequire to check various fields in a client's >> certificate, is it implied that the certificate has already been >> verified as signed by one of the CA's I've defined in >> SSLCACertificateFile, for instance? In other words, this isn't just >> checking that someone made a certificate with the correct DN values, >> right? It's also verifying implicitly that it comes from an approved >> CA? I assume the same is true if I use FakeBasicAuth? > > http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html#sslcacertificatefile > > probably also if interest: > http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html#sslverifyclient > http://httpd.apache.org/docs/2.2/en/mod/mod_ssl.html#sslrequiressl > etc. >
Thanks, I actually just got finished reading through that whole page before I sent the question though. The doc isn't explicit (from what I could tell, anyway), about what it actually means to "only deal with". I guess the meaning is probably pretty obvious, but I want to make sure it really means that the server will automatically reject client certs not signed by an approved CA before it gets to the SSLRequire directive. Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [email protected] " from the digest: [email protected] For additional commands, e-mail: [email protected]
