Re: Choice of CAs in SSL/TLS handshake

Wed, 08 Mar 2006 01:49:51 -0800 

On 3/7/06, Olaf Gellert <[EMAIL PROTECTED]> wrote:
> Samy Thiyagarajan wrote:
> >
> > Hi,
> > May be changing the verification of the depth level solve this issue. (
> > I mean  check the chain only upto User CA 1 and not upto the Root CA )
> > In this case it should not report about missing valid root.
> >
> > Im not sure. this is just an idea.
>
> Good idea. But unfortunately it does not work out. I removed the
> root-certificate from the SSLCACertificateFile. The Server now only
> allows the user CA 1 (otherwise it still offers the root CA as
> valid CA). And I shortened the verifyDepth to one. But the server
> denies access saying:
>
> [Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): 
> unable
> to get local issuer certificate
>
> Seems that "verifyDepth" still requires a self-signed root
> certificate (so the chain has to reach the toplevel in the
> given number of steps).
>
> Hm... Any other proposals? :-)
>
> Cheers, Olaf
>
> --
> Dipl.Inform. Olaf Gellert                  PRESECURE (R)
> Senior Researcher,                       Consulting GmbH
> Phone: (+49) 0700 / PRESECURE           [EMAIL PROTECTED]
>
>                         A daily view on Internet Attacks
>                         https://www.ecsirt.net/sensornet
>
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           [EMAIL PROTECTED]
>

Hi Olaf,

 I think you can use the mod_ssl SSLRequire directive.

 This directive specifies a general access requirement which has to be
fulfilled in order to allow access. It's a very powerful directive
because the requirement specification is an arbitrarily complex
boolean expression containing any number of access checks.

Example that should work for you:
SSLRequire %{SSL_CLIENT_I_DN} eq "/C=foo/O=bar/CN=CA1"

cf http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23

Regards

--
Nicolas Margaine
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to