On 3/7/06, Olaf Gellert <[EMAIL PROTECTED]> wrote: > Samy Thiyagarajan wrote: > > > > Hi, > > May be changing the verification of the depth level solve this issue. ( > > I mean check the chain only upto User CA 1 and not upto the Root CA ) > > In this case it should not report about missing valid root. > > > > Im not sure. this is just an idea. > > Good idea. But unfortunately it does not work out. I removed the > root-certificate from the SSLCACertificateFile. The Server now only > allows the user CA 1 (otherwise it still offers the root CA as > valid CA). And I shortened the verifyDepth to one. But the server > denies access saying: > > [Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20): > unable > to get local issuer certificate > > Seems that "verifyDepth" still requires a self-signed root > certificate (so the chain has to reach the toplevel in the > given number of steps). > > Hm... Any other proposals? :-) > > Cheers, Olaf > > -- > Dipl.Inform. Olaf Gellert PRESECURE (R) > Senior Researcher, Consulting GmbH > Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED] > > A daily view on Internet Attacks > https://www.ecsirt.net/sensornet > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
Hi Olaf, I think you can use the mod_ssl SSLRequire directive. This directive specifies a general access requirement which has to be fulfilled in order to allow access. It's a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks. Example that should work for you: SSLRequire %{SSL_CLIENT_I_DN} eq "/C=foo/O=bar/CN=CA1" cf http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23 Regards -- Nicolas Margaine ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]