Rob Crittenden wrote: > Yes, mod_nss supports the same environment variables as mod_ssl. > http://directory.fedoraproject.org/wiki/Mod_nss > I couldn't figure (explicit) from that page that this is the case.... > Normally mod_nss will not let you start Apache with a bad certificate > (expired, not a server cert, etc). NSSEnforceValidCerts lets you > override that. > OK > There is no equivalent for SSLVerifyDepth. My understanding of how > intermediate CAs are evaluated in NSS is admittedly sketchy but I > believe it requires all of them to be installed and trusted. > That seems to be the most likely explanation - knowing NSS. In client auth however the client mustn't send the full chain (not sure about that?) and the (intermediate) issuer doesn't have to be necessary the same as the one on the server... How can I limit authentication to accept only one specific CA and otherwise fail? I expect here to run into the issue of Mozilla browser selecting the most convenient client certificate by its own by default.... > rob Since mod_nss is conveniently included in Red Hat / StartCom Enterprise, I'll give it a shot on a test server...
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
