On Mon, Mar 19, 2001 at 10:13:45AM -0300, Diego Tartara wrote:
> Same thing happened to me. Then I configured a CA certificate file and
> things went straight.
> The idea is that when the SSL handshake takes place, the server asks for a
> certificate which
> he will consider valid. That is signed by a trusted CA.
> The server sends what HE considers to be trusted CA's to the browser, and
> the browser filters
> the installed certificates, and shows only those signed by one of the
> server trusted CA's.
> IE5 seems a little stupid.. and if no certificate pass this condition he
> just presents an empty dialog.
not trying to defend IE ;) but that behaviour basically seems reasonable
to me, though an appropriate warning message instead of an empty box
would be more informative, of course.
AFAIK, it wouldn't make much sense sending a client certificate for
which the server doesn't accept the CA that issued it.
To put it differently, the CA that issued the client certificate would
have to be contained in the server's list of accepted CAs, anyway (see
SSLCACertificateFile or SSLCACertificatePath), along the same reasoning
that the browser needs to accept the CA that issued the server's
certificate...
Erdmut
> Just create a text file and drop there all your trusted CA's in PEM format,
> (those that say -----BEGIN CERTIFICATE----- )
> Just cat them all, one after another. You can even place comments in
> betweem then as mod_ssl will just parse
> from a -----BEGIN CERTIFICATE----- up to a -----END CERTIFICATE-----.
> Then add the directive
> SSLCACertificateFile certs/my_trusted_cas.crt
>
> Obviously replacing 'certs/my_trusted_cas.crt' by the path and name of the
> recently created file.
>
> Now just try again.
> mod_ssl distribution comes with a file named ca-bundle.crt containing the
> certificates for what netscape considers trusted CA's.
> You can use that one and add your ca-dff.crt in PEM format.
> Try yourself by adding and removing that entry and you'll see that when the
> browser ask you to select a certificate, the newly
> created cert will appear or not depending on the presence of 'ca-dff.crt'
> in that trusted CA's file of the server.
> Hope that helps you.
>
--
Erdmut Pfeifer
science+computing ag
-- Bugs come in through open windows. Keep Windows shut! --
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
