TLS certificate request in MOD-SSL

Mon, 8 Mar 1999 10:11:48 -0500 

Hi,


Is mod-ssl able to do client authentication and require that the client
has a certificate signed by a specific subordinate CA ?

Of course it can be done if you combine SSLCACertificatePath with
SSLRequire.

But, in TLS specification, when the server request the client
certificate, it is able to send the list of accepted issuer DN.
In Mod-ssl, if you configure SSLCACertificateFile, the top Root DN is
sended. Then in Netscape, if a client has a certificate signed by a
subordinate CA, it is (eventualy) automaticaly chosed even if this is a
wrong certificate.

Am i missing something or is it right ?

Have you an idea about resolving this cleanly ?

Thanks,

Marc.

==============

7.4.4. Certificate request

   When this message will be sent:
       A non-anonymous server can optionally request a certificate from
       the client, if appropriate for the selected cipher suite. This
       message, if sent, will immediately follow the Server Key Exchange
       message (if it is sent; otherwise, the Server Certificate
       message).

   Structure of this message:
       enum {
           rsa_sign(1), dss_sign(2), rsa_fixed_dh(3), dss_fixed_dh(4),
           (255)
       } ClientCertificateType;

       opaque DistinguishedName<1..2^16-1>;

       struct {
           ClientCertificateType certificate_types<1..2^8-1>;
           DistinguishedName certificate_authorities<3..2^16-1>;
       } CertificateRequest;

       certificate_types
              This field is a list of the types of certificates
requested,
              sorted in order of the server's preference.

       certificate_authorities
           A list of the distinguished names of acceptable certificate
           authorities. These distinguished names may specify a desired
           distinguished name for a root CA or for a subordinate CA;
           thus, this message can be used both to describe known roots
           and a desired authorization space.

 Note: DistinguishedName is derived from [X509].

 Note: It is a fatal handshake_failure alert for an anonymous server to
       request client identification.
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl)   www.engelschall.com/sw/mod_ssl/
Official Support Mailing List               [EMAIL PROTECTED]
Automated List Manager                       [EMAIL PROTECTED]

Reply via email to