On Fri, Jan 12, 2001 at 01:37:42PM +0100, Tim Tassonis wrote:
> > >
> > > I want to force mod_ssl to ban self-signed certificates from being
> > > accepted as valid certificates. From what I remember, one suggestion
> was
> > > to use SSLRequire in order to compare the subject_dn to the
> issuers_dn.
> > > But this seems to be easily fakeable:
> > >
> > > 1. Create a self signed CA certificate
> > > 2. Create request using above's key, but different dn
> > > 3. Sign it
> >
> > I don't understand what you want to achieve:
> > - You want to enforce people to present a _valid_ certificate:
> > SSLVerifyClient require
> > The client must present a certificate _and_ it is tested against the
> > trusted CAs you configured with the SSLCACertificateFile (or ...Path)
> > option.
>
> OR it is self signed, as far as I understand SSLVerify Client and
> SSLVerifyDepth. Did I miss something (from the online manual of
> SSLVerifyDepth) ?
If the "require" option is send, mod_ssl must reject all certificates
that do not pass verification. A certificate not issued by a trusted
CA (and self signed certificates belong to this group) must not pass
the verification and hence you should never see them in "require" mode.
> ... A depth of 0 means that self-signed client certificates are accepted
> only, the default depth of 1 means the client certificate can be
> self-signed or has to be signed by a CA which is directly known to the
> server (i.e. the CA's certificate is under SSLCACertificatePath), etc. ...
Yes. And no.
The SSLVerifyDepth describes up to which level the certificate is verified,
if the chain length exceeds the limit given, the verification will be
flagged as "failed", even though the reason for the failure may not
be 'chain too long' (this actually depends on the implementation and
I have not checked out mod_ssl to depth in that regard).
In any case you can check the SSL_CLIENT_VERIFY environment variable
to retrieve the verification result.
For a self signed certificate (or one not issued by a trusted CA) you
should find the "self signed certificate in chain" verification error
(as long as the maximum allowed chain length is not exceeded).
Best regards,
Lutz
--
Lutz Jaenicke [EMAIL PROTECTED]
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
