Barret, You need to use Apache 2.2 or above. See the new directives SSLCADNRequestFile and SSLCADNRequestPath for details at http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcadnrequestfile If you must use older versions of Apache, I did create a patch for mod_ssl 2.8.22 which is used by Apache 1.3.33 and Apache 2.0.52 but you will have to get those from me. Verify depth is not your problem. There was a spec bug in mod_ssl. What you want is allowed for in the SSL v3/TLS v1.0 draft/spec and fully support by OpenSSL, but was not supported by mod_ssl design. In general, you don't want the verify depth arbitrarily high for security reasons. I keep mine around three or four. As you found, a depth of one will never work for trust with intermediate CA's because there is no room to reach the necessary anchor. Post again here if you need a patch to the old stuff. regards, TT -----Original Message----- From: Rhoden, Barret J. Mr. CN (NGIT) HQ USAREUR/7A CIO G6 [mailto:barret.rhoden@xxxxxxxxxxx] Sent: Monday, September 25, 2006 7:28 AM To: 'users@xxxxxxxxxxxxxxxx' Subject: [users@httpd] SSLVerifyDepth and Intermediate CAs hi - when using certificate authentication for clients, does the certificate in the approved SSLCACertificatePath (or List) have to be a self-signed certificate? i would like to be able to explicitly trust specific, intermediate CAs, instead of the root CA and every intermediate CA that root CA signs. i tried setting SSLVerifyDepth to 1, and put the intermediate CA's cert in the appropriate path, but the only way apache seems to accept a client certificate is if the depth reaches the root cert, and the root cert is in the path. if this is working as intended, can someone (me?) add a note to the documentation saying that (unless it was supposed to be intuitively obvious to the casual observer). if not, what pitfalls might i have stumbled into? thanks in advance, barret
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
|