httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Issac Goldstand <>
Subject Re: Documentation for Apache httpd SSLVerifyClient considered harmful
Date Wed, 18 Apr 2012 07:30:14 GMT

On 18/04/2012 05:10, Kyle Hamilton wrote:
> On Tue, Apr 17, 2012 at 6:57 PM, Eric Covener <> wrote:
>>> For these reasons, the paragraph in question is harmful, and I
>>> petition that
>>> it be struck from the documentation.
>> How about something to the effect of "optional and optional_no_ca are
>> useful if you want to validate the certificate yourself, and generate
>> your own friendly error response if there's a problem".
>> Or, I'm totally misunderstandng the point.
> "optional" means that you can either accept a certificate from a
> particularly-named CA, or you want to handle the 403 yourself. 
> Various browsers (including Safari) will not let you send a
> certificate from a CA which hasn't been named in this circumstance,
> and will provide a blank credential selection dialog with "OK" greyed
> out and "Cancel" selected.  (This feels like "cancel the connection
> attempt" more than "cancel sending a certificate".)  It is related
> specifically to TLS/1.0 inability to legally send a blank "acceptable
> CAs" list.
> optional_no_ca means that you can accept a certificate from any CA,
> and you want to handle both the situations where there is no
> certificate and where there is a certificate from an untrusted CA
> (both 403) in the application.  This is useful where you care more
> about the key than the information directly bound to it.  It's also
> useful when you want to accept self-signed client certificates that
> contain multiple credential chains, and handle the additional parsing
> overhead in your application.  This requires TLS/1.1+.
> optional_no_ca is also the only effective means to handle alternate
> credential formats which can survive basic X.509 parsing, which again
> requires TLS/1.1+.
> -Kyle H
I actually like Kyle's response here - maybe just add it verbatim? 
Kyle, if you could reword the "none" (trivial) and "require" in the same
style, we can completely replace the whole sentence with a more detailed

Being a user who's looked at client crypto, never really got it working,
and would love to try again, I'd also be interested in a practical
explanation of how to use "optional_no_ca" to handle the 403 response -
best if it could be used in a CGI environment - and some more
information (if there is any) on the Safari issue.  Reading your
paragraph basically (as a user heeding the domain expert) tells me "If
you want to support users on Safari, you're going to have to wrack your
brain for some assbackward solution, or just otherwise give up"

But I love where this is going.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message