[users@httpd] Mutual Authentication and Certification Authorities

Mon, 30 May 2005 08:07:11 -0700 

Hello all,

Using:
- Apache          2.0.54-2
- Mozilla firefox 1.0.4-2

I want to use mutual authentication on my http server, and I only want
users with SSL client certificates issued by my Certificate Authority
(named 'myCA' here) to get access to the http server. myCA is a subCA
from a RootCA. I also set up another subCA (named 'AnotherCA') for test
purposes :

RootCA
  |-- MyCA
  |-- AnotherCA

(That is, the Root CA signed the myCA and AnotherCA certificates)

The HTTP SSL Server Certificate I use is also a certificate issued by
myCA.

My SSL Apache config looks like:
...
        ServerName whatever.com
        SSLEngine on

        SSLCipherSuite AES256+RSA:3DES+RSA
        SSLProtocol -SSLv2 +SSLv3
        SSLCertificateFile       /var/test/server.crt
        SSLCertificateKeyFile    /var/test/server.key
        SSLCACertificateFile     /var/test/cabundle.crt
                
        SSLVerifyClient require
        SSLVerifyDepth 2
...

the cabundle.crt file contains the certificates of Root CA and my CA.

On my Mozilla FireFox browser, I made some tests:
- I install a Client SSL certificate issued by MyCA either (alone or
with the RootCA and MyCA certificates going along with it)
  * Mutual Authentication works fine with SSLVerifyDepth = 2.
  * It does not work with SSLVerifyDepth = 1 which is OK.

- Then I install a Client SSL certificate issued by AnotherCA.
  * This certificate is not recognized by my http server when I don't
include the CARoot and AnotherCA certificates in FireFox. OK.
  * otherwise (Firefox got the complete CA Path: CA Root cert., CA
AnotherCA certificate and clientSSL certificate), mutual authentication
works and that is really what I don't want to occur!

In my opinion, my Apache server should never accept this certificate in
any case because it does not know about the AnotherCA's certificate in
its CA Bundle File.
Of course, if I set up SSLVerifyDepth = 1 and giving my http server only
the myCA certificate, then I would be able to filter the AnotherCA
Client certificates, but, on the other hand, I won't be able to check
the Chain Path up to the RootCA, which is not good at all...

Any ideas on what is happening?

Thanks in advance,
Pierre


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
   "   from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to