On Mon, Mar 08, 1999, Marc Jadoul wrote:
> Is mod-ssl able to do client authentication and require that the client
> has a certificate signed by a specific subordinate CA ?
>
> Of course it can be done if you combine SSLCACertificatePath with
> SSLRequire.
>
> But, in TLS specification, when the server request the client
> certificate, it is able to send the list of accepted issuer DN.
> In Mod-ssl, if you configure SSLCACertificateFile, the top Root DN is
> sended. Then in Netscape, if a client has a certificate signed by a
> subordinate CA, it is (eventualy) automaticaly chosed even if this is a
> wrong certificate.
>
> Am i missing something or is it right ?
> Have you an idea about resolving this cleanly ?
Actually the list of all DNs (not only root DNs) are sent to the client when
they can be found under SSLCACertificatePath. The same should apply to
SSLCACertificateFile. OTOH sending the root DN should be enough for Netscape,
isn't it? Have you really tested to configure all subordinate CAs inside
SSLCACertificate{File,Path} and discovered that only the root CA's DN is sent?
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
