httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <>
Subject [users@httpd] mod_ssl Client authentication question
Date Fri, 16 Jan 2009 13:39:24 GMT
I just want to double check some things because I implement ssl client
auth on my server, to make sure I really understand what I'm doing:

First, if I use SSLRequire to check various fields in a client's
certificate, is it implied that the certificate has already been
verified as signed by one of the CA's I've defined in
SSLCACertificateFile, for instance? In other words, this isn't just
checking that someone made a certificate with the correct DN values,
right? It's also verifying implicitly that it comes from an approved
CA? I assume the same is true if I use FakeBasicAuth?

Second, I was trying to test the above question by creating
self-signed certs, adding them to my browser, and making sure the
server would not authenticate them. But when I did, my browser
(Firefox) didn't even provide them as an option for me to use. I know
this isn't strictly an apache question, but I think this is probably
because of the "list of acceptable Certificate Authority names" sent
to the browser by my server...does that sound correct? If this is the
case, is there a way to get my server to tell the browser than any
certificate is fine, but still only actually authenticate those signed
by the appropriate CA's?

Using: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8g

Thanks for any help,

Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message