Hi, Normally, CN would be IP address of the client, if client IP do not match its certificate CN, Apache would deny its request. This is used in highly secured network.
But we do not need such strict security configuration, we just need to verify whether the client certificate is issued by trusted CA. If yes, accept client, if not, deny client. So, I just need to verify client certificates "partly", what can I do? Br, Jason On Tue, Jul 13, 2010 at 7:12 PM, Eric Covener <[email protected]> wrote: > On Tue, Jul 13, 2010 at 3:23 AM, galaft wang <[email protected]> wrote: > > Hi, > > > > As we know, directive SSLVerifyClient in mod_ssl can be used for Client > > Authentication > > > > SSLVerifyClient require > > > > It means the client has to present a valid Certificate > > > > However, for specific purpose, I only want to verify: whether client's > > certificate is issued by trusted CA. > > I do not want to verify common name in client's certificate. > > In another word, if the client certificate is issued by trusted CA, even > its > > common name is not matched, we can also consider this client certificate > is > > valid. > > What does mod_ssl match the CN of a client certificate against? > > -- > Eric Covener > [email protected] > > --------------------------------------------------------------------- > The official User-To-User support forum of the Apache HTTP Server Project. > See <URL:http://httpd.apache.org/userslist.html> for more info. > To unsubscribe, e-mail: [email protected] > " from the digest: [email protected] > For additional commands, e-mail: [email protected] > >
