Hi there We use client certs to access an Apache Web server. It all works well except that if the user only a cert not signed by one of the Apache's "trusted" CAs, they end up with this gross IE error page - which doesn't tell the user what went wrong.
If they don't have any client certs, then using "SSLVerifyClient optional" can catch that (and I can use PHP to redirect to a nice error page), but it can't catch having a cert signed by someone else. So instead of using "SSLVerifyDepth 1", I thought I'd allow any client cert to be accepted, then use PHP to veto it, etc. I can do this as I only look for a client cert on a login page - I use cookies to actually do auth after the initial check. Anyway, can some combination of Apache environment variables add up to the same thing? I'm concerned that someone could conceivably create a CA with the same details contained within our CA's public key, then sign a cert with that, then break through such a system. I know "SSLVerifyDepth" stops that, I just want to find another way of doing the same thing... Thanks! (and brickbats to Microsoft!) -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
