When you want to operate in this special "CA filtering" mode, you
could hook the OpenSSL certificate validation logic. Your callback
could then implement it's only validation logic and return a "reject"
when you see a certificate you want to deny (even though it's valid).
Randy
On Mar 7, 2006, at 7:03 AM, Olaf Gellert wrote:
Samy Thiyagarajan wrote:
Hi,
May be changing the verification of the depth level solve this
issue. (
I mean check the chain only upto User CA 1 and not upto the Root
CA )
In this case it should not report about missing valid root.
Im not sure. this is just an idea.
Good idea. But unfortunately it does not work out. I removed the
root-certificate from the SSLCACertificateFile. The Server now only
allows the user CA 1 (otherwise it still offers the root CA as
valid CA). And I shortened the verifyDepth to one. But the server
denies access saying:
[Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error
(20): unable
to get local issuer certificate
Seems that "verifyDepth" still requires a self-signed root
certificate (so the chain has to reach the toplevel in the
given number of steps).
Hm... Any other proposals? :-)
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]