httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <mearn...@gmail.com>
Subject Re: [users@httpd] mod_ssl Client authentication question
Date Fri, 16 Jan 2009 14:11:36 GMT
On Fri, Jan 16, 2009 at 8:51 AM, Eric Covener <covener@gmail.com> wrote:
>> Second, I was trying to test the above question by creating
>> self-signed certs, adding them to my browser, and making sure the
>> server would not authenticate them. But when I did, my browser
>> (Firefox) didn't even provide them as an option for me to use. I know
>> this isn't strictly an apache question, but I think this is probably
>> because of the "list of acceptable Certificate Authority names" sent
>> to the browser by my server...does that sound correct? If this is the
>> case, is there a way to get my server to tell the browser than any
>> certificate is fine, but still only actually authenticate those signed
>> by the appropriate CA's?
>
> It has to be an explicit list from the server, and it should be
> assembled by virtue of whatever CA's apache trusts via the various
> SSL*CA directives.  I believe the list is sent as names only, so you
> could still do your testing if you had two CA's with the same DN --
> your server would coax the client into sending but ultimately wouldn't
> be able to validate the signature.

Sounds good, I can fake up another CA easily enough. Thanks for the tip.

-- 
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://pgp.mit.edu/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message