httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47492] New: SSLVerifyClient require_no_ca
Date Wed, 08 Jul 2009 01:45:16 GMT

           Summary: SSLVerifyClient require_no_ca
           Product: Apache httpd-2
           Version: 2.2.11
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl

Created an attachment (id=23937)
 --> (
SSLVerifyClient require_no_ca patch for httpd-2.2.11

This patch submission implements an additional option for the SSLVerifyClient
directive: require_no_ca.  When configured, this option requires that clients
present SSL certificates but allows certificates issued by CAs unknown to the

This feature is especially useful for SSL-based authentication schemes
implementing trust models independent of typical enterprise CA/chain
verification.  The optional_no_ca option is insufficient for widely-deployed
solutions of this fashion since "'optional' doesn't work with all browsers"

One example making use of this configuration is the FOAF+SSL [2] protocol which
allows a client to assert an identity specified as a URI in the X509v3
extension subjectAltName of their certificate. After SSL negotiation by
mod_ssl, mod_authn_webid [3] pulls the URI via ssl_ext_lookup, calculates the
modulus and exponent of the client certificate, and authenticates the user to
this URI identity if the mod/exp published at the URI match those of the
presented certificate.

Please consider this short patch for inclusion.  It applies cleanly to release


Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message