Oh, good call!
So, now I'm looking at:
* SSLCACertificateFile, to hold all of the certificates that I would
authenticate against;
* SSLCADNRequestFile, to send an acceptable list of certificates to the
client;
* SSLRequire, to prevent malicious clients from sending me a certificate
that would validate against a CA higher up the chain than what I want.
I'd probably have researched the SSLRequire part of it anway; all of our
production Apache servers are 2.0.x, which don't support the
SSLCADNRequestFile directive. Until they can be upgraded, I'll want to
prevent the use of an inappropriate certificate.
Thanks for taking the time to respond to this issue.
-dpmott
On Tue, 24 Apr 2007, Olaf Gellert wrote:
David P. Mott wrote:
I don't know why I didn't find this in the dozens of Google searches
that I did *before* I posted my question, but these seem to be what I'm
looking for:
SSLCADNRequestFile / SSLCADNRequestPath
Please be aware that Apache/ModSSL uses den SSLCADNRequest-
File / SSLCADNRequestPath only for submitting a list of
accepted CAs to the client. It does not use this for
verification. So: Usually a client will send the certificate
of the requested subCA (even if he has client certificates
from both CAs), but this does not mean that a malicious
client could not send a client certificate of the other
CA. This certificate would be accepted then (because
evaluation of the chain is still done against the certificates
from SSLCACertificateFile. There is no check against the
certificates from SSLCADNRequestFile...
Regards, Olaf
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
