Re: Choice of CAs in SSL/TLS handshake
On 3/7/06, Olaf Gellert [EMAIL PROTECTED] wrote:
Samy Thiyagarajan wrote:
Hi,
May be changing the verification of the depth level solve this issue. (
I mean check the chain only upto User CA 1 and not upto the Root CA )
In this case it should not report about missing valid root.
Im not sure. this is just an idea.
Good idea. But unfortunately it does not work out. I removed the
root-certificate from the SSLCACertificateFile. The Server now only
allows the user CA 1 (otherwise it still offers the root CA as
valid CA). And I shortened the verifyDepth to one. But the server
denies access saying:
[Tue Mar 07 15:56:34 2006] [error] Certificate Verification: Error (20):
unable
to get local issuer certificate
Seems that verifyDepth still requires a self-signed root
certificate (so the chain has to reach the toplevel in the
given number of steps).
Hm... Any other proposals? :-)
Cheers, Olaf
--
Dipl.Inform. Olaf Gellert PRESECURE (R)
Senior Researcher, Consulting GmbH
Phone: (+49) 0700 / PRESECURE [EMAIL PROTECTED]
A daily view on Internet Attacks
https://www.ecsirt.net/sensornet
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Hi Olaf,
I think you can use the mod_ssl SSLRequire directive.
This directive specifies a general access requirement which has to be
fulfilled in order to allow access. It's a very powerful directive
because the requirement specification is an arbitrarily complex
boolean expression containing any number of access checks.
Example that should work for you:
SSLRequire %{SSL_CLIENT_I_DN} eq /C=foo/O=bar/CN=CA1
cf http://www.modssl.org/docs/2.8/ssl_reference.html#ToC23
Regards
--
Nicolas Margaine
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
Re: Silly CA/certs questions...
Hi, I know that MediaWiki has an XML export format (http://meta.wikimedia.org/wiki/XML_export). The problem is that all the wiki markups are not translated in XML. The best solution would be to export the mediaWiki data in a docbook xml format. Unfortunately, as said in http://www.hula-project.org/Wiki_Conversion this seems to be un incomplete solution. (the best solution seems to be flexbisonparse but I didn't try it) Regards, Nicolas Margaine On 2/23/06, Georg Lohrer [EMAIL PROTECTED] wrote: Mark,On Do, 23 Feb 2006, Mark wrote: I'm sure the ability to have multiple authors is useful, but it would be handy to be able to print the document.oh that's not mutually exclusive. Most of the Wiki's provide some rather goodprintouts. Some of them (the wikis) even provide a pdf-transfiguration. Personally I would like to keep the document in plain text or common wordprocessor format for simplicity. The real general text-format with all possible ways ofpre-write-output-transformation would be to use SGML. The next best wouldbeto have DocBook or at least on the word-formatting side LaTeX itself.If someone is a little bit familiar with LaTeX or HTML-formatting, all Wiki-input basics will be plain easy.On the other hand, if the information is stored in the wiki it is notreallysimple to get it out of there in another format. If that way is desiredornecessary, nothing would be as flexible as SGML with different output-filtersfor LaTeX, PDF, DOC-formats, plain-text, etc.But with a wiki it's very simple and easy to run iterativly through theedit-store-correct-store cycle. With distinguished documents which have to bepassed around or are stored in a (distributed) version control system itwillbe a pain.So it depends on the real needs of this documentation and last not leastthetime the authors will spend for this work. Ciao, Georg__OpenSSL Project http://www.openssl.orgUser Support Mailing Listopenssl-users@openssl.orgAutomated List Manager [EMAIL PROTECTED]-- Nicolas Margaine
