On Thu, Mar 04, 1999, Anton Voronin wrote:
> > > is it possible to configure mod-ssl *not* to trust to self-signed
> > > certificates?
> >
> > You mean client certificates, right? Hmmm.. yes, you can use SSLRequire in
> > addition to the standard client verification to require that the issuer of the
> > client certificate is not equal the subject of the certificate:
> >
> > SSLRequire %{SSL_CLIENT_I_DN} != %{SSL_CLIENT_S_DN}
>
> Ok, but this seemes to help only if a client's certificate itself is self-signed.
> But what if it is signed by a custom-made CA whoes cert is self-signed? Or even
> if there are more levels in chain whoes root is a self-signed CA certificate?
That's how a cert chain work: the root CA is always self-signed! What you
mean is whether the root cert is signed by a CA which is known to you. That's
what can be done with SSLVerifyClient and SSLCACertificatePath.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
