On Mon, Mar 08, 1999, Marc Jadoul wrote:
> > OpenSSL picks up the server's cert chain also from SSLCACertificate{Path,File}
> > when available there. So, all you've to do is to place the cert chain for the
> > server also into this location and mod_ssl is able to send it out in the SSL
> > handshake phase.
>
> If i do that, any certificate signed by the same CA as your server
> certificate is accepted when you verify the client certificate.
>
> So if i had a Secure Server certificate, and the Secure Server CA is
> signed by the same Root CA as a Class 1 CA or Class 2 CA ... all these
> client certificates are accepted in the client authenticated server.
>
> May be it would be more logical to have several files and options in the
> configuration, for client authentication and for the server chain ?
Hmmmm... yes, you're right. It would be reasonable to have different files.
The problem just is that AFAIK OpenSSL provides no way to configure different
locations. As a workaround you can just use an SSLRequire directive and
explicitly deny those client certs issued by the CA your server cert is
issued. Hmmm... interesting situation.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
