httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Mearns <>
Subject Re: [users@httpd] mod_ssl Client authentication question
Date Fri, 16 Jan 2009 14:11:36 GMT
On Fri, Jan 16, 2009 at 8:51 AM, Eric Covener <> wrote:
>> Second, I was trying to test the above question by creating
>> self-signed certs, adding them to my browser, and making sure the
>> server would not authenticate them. But when I did, my browser
>> (Firefox) didn't even provide them as an option for me to use. I know
>> this isn't strictly an apache question, but I think this is probably
>> because of the "list of acceptable Certificate Authority names" sent
>> to the browser by my server...does that sound correct? If this is the
>> case, is there a way to get my server to tell the browser than any
>> certificate is fine, but still only actually authenticate those signed
>> by the appropriate CA's?
> It has to be an explicit list from the server, and it should be
> assembled by virtue of whatever CA's apache trusts via the various
> SSL*CA directives.  I believe the list is sent as names only, so you
> could still do your testing if you had two CA's with the same DN --
> your server would coax the client into sending but ultimately wouldn't
> be able to validate the signature.

Sounds good, I can fake up another CA easily enough. Thanks for the tip.

Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from:

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message