Hi,
May be changing the verification of the depth level solve this issue. ( I mean check the chain only upto User CA 1 and not upto the Root CA ) In this case it should not report about missing valid root.
Im not sure. this is just an idea.
Regards,
Samy
Olaf Gellert <[EMAIL PROTECTED]> Sent by:
07.03.2006 12:56
|
|
Hi,
I came across the following problem: I do have
two user CAs under the same root CA:
Root CA
|-> User CA 1 -> User Certificate 1
|-> User CA 2 -> User Certificate 2
I want to tell a webserver to accept certificates
from User CA 1 but not from User CA 2. But: In
openssl s_server AND in mod_ssl I can only specify
a list (as file or directory) of trusted CAs. These
are used for two purposes:
a) the server puts all of them in his certificate_request
message during SSL connection establishment.
b) they have to contain the root certificate as trust
anchor.
What I need is a way to specify the requested client
CAs WITHOUT the root certificate. Otherwise clients
(Mozilla/Firefox) think that both CAs are accepted
(because the root certificate is in the certificate
request message).
Any way to do this? Is this just a missing feature
or do I read the RFC wrong? This is what RFC 2246 says
about the request message (sec. 7.4.4):
certificate_authorities
A list of the distinguished names of acceptable certificate
authorities. These distinguished names may specify a desired
distinguished name for a root CA or for a subordinate CA;
thus, this message can be used both to describe known roots
and a desired authorization space.
So it should be possible to provide only the certificate
of User CA 1? (but then openssl s_server and mod_ssl do
not find a valid root certificate.)
Thanks for any help,
Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]