"Ralf S. Engelschall" wrote:
> > > SSLRequire %{SSL_CLIENT_I_DN} != %{SSL_CLIENT_S_DN}
> >
> > Ok, but this seemes to help only if a client's certificate itself is self-signed.
> > But what if it is signed by a custom-made CA whoes cert is self-signed? Or even
> > if there are more levels in chain whoes root is a self-signed CA certificate?
>
> That's how a cert chain work: the root CA is always self-signed! What you
I know
> mean is whether the root cert is signed by a CA which is known to you. That's
Right.
> what can be done with SSLVerifyClient and SSLCACertificatePath.
I've just reread the manual. It says "...depth of 1 means the client certificate can
be self-signed or has to be signed by a CA which is directly known to the server".
If this means that not self-signed cert is supposed to be a valid cert *only* if it's
chain leads to a cert signed by *real* CA, then its just what I need.
Thank you.
--
Anton Voronin | Ural Regional Center of FREEnet,
[EMAIL PROTECTED] | Southern Ural University, Chelyabinsk, Russia
http://www.urc.ac.ru/~anton | Programmer & System Administrator
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
