"Ralf S. Engelschall" wrote:
> On Thu, Mar 04, 1999, Anton Voronin wrote:
>
> > is it possible to configure mod-ssl *not* to trust to self-signed
> > certificates?
>
> You mean client certificates, right? Hmmm.. yes, you can use SSLRequire in
> addition to the standard client verification to require that the issuer of the
> client certificate is not equal the subject of the certificate:
>
> SSLRequire %{SSL_CLIENT_I_DN} != %{SSL_CLIENT_S_DN}
Ok, but this seemes to help only if a client's certificate itself is self-signed.
But what if it is signed by a custom-made CA whoes cert is self-signed? Or even
if there are more levels in chain whoes root is a self-signed CA certificate?
--
Anton Voronin | Ural Regional Center of FREEnet,
[EMAIL PROTECTED] | Southern Ural University, Chelyabinsk, Russia
http://www.urc.ac.ru/~anton | Programmer & System Administrator
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
