On Fri, 2006-01-06 at 10:47 -0500, Rob Crittenden wrote: > Mark McLoughlin wrote: > > What appears to be happening is that NSS requires at least one CA > > certificate to be available in order to send a certificate request > > during the handshake. However, my CA certificate isn't trusted for > > client auth and NSS isn't aware of any other CAs for client auth, so it > > barfs. > > > > I find this puzzling because looking through the NSS code, it looks > > like the CA certificates from nssckbi should be used for client auth - > > e.g. the error suggests that if I make my CA trusted for client auth, it > > will be the *only* CA used for client auth and that the root CAs will be > > ignored? > > The question is: Do you want to do client certificate authentication? If > not then you should be able to disable client auth in the directory > server and this message should go away. I'm not a FDS developer so I > can't really say how one would do this configuration. Yep, if you disable client auth, no attempt is made to send a certificate request during the handshake and you don't get any error. (To disable it you seem to have to set both "nsslapd-sslclientauth" on "cn=config" and "nsSSLClientAuth" on "cn=encryption,cn=config") > As for the trust issue, this goes a bit beyond my knowledge. This would > be a good question for the NSS guys in the > netscape.public.mozilla.crypto newsgroup (on nntp://news.mozilla.org). Okay, thanks for your help. Cheers, Mark.
