Hi, Normally, CN would be IP address of the client, if client IP do not match its certificate CN, Apache would deny its request. This is used in highly secured network.
But we do not need such strict security configuration, we just need to verify whether the client certificate is issued by trusted CA. If yes, accept client, if not, deny client. So, I just need to verify client certificates "partly", what can I do? Br, Jason On Tue, Jul 13, 2010 at 7:12 PM, Eric Covener <cove...@gmail.com> wrote: > On Tue, Jul 13, 2010 at 3:23 AM, galaft wang <gal...@gmail.com> wrote: > > Hi, > > > > As we know, directive SSLVerifyClient in mod_ssl can be used for Client > > Authentication > > > > SSLVerifyClient require > > > > It means the client has to present a valid Certificate > > > > However, for specific purpose, I only want to verify: whether client's > > certificate is issued by trusted CA. > > I do not want to verify common name in client's certificate. > > In another word, if the client certificate is issued by trusted CA, even > its > > common name is not matched, we can also consider this client certificate > is > > valid. > > What does mod_ssl match the CN of a client certificate against? > > -- > Eric Covener > cove...@gmail.com > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org > " from the digest: users-digest-unsubscr...@httpd.apache.org > For additional commands, e-mail: users-h...@httpd.apache.org > >
