> Second, I was trying to test the above question by creating > self-signed certs, adding them to my browser, and making sure the > server would not authenticate them. But when I did, my browser > (Firefox) didn't even provide them as an option for me to use. I know > this isn't strictly an apache question, but I think this is probably > because of the "list of acceptable Certificate Authority names" sent > to the browser by my server...does that sound correct? If this is the > case, is there a way to get my server to tell the browser than any > certificate is fine, but still only actually authenticate those signed > by the appropriate CA's? It has to be an explicit list from the server, and it should be assembled by virtue of whatever CA's apache trusts via the various SSL*CA directives. I believe the list is sent as names only, so you could still do your testing if you had two CA's with the same DN -- your server would coax the client into sending but ultimately wouldn't be able to validate the signature. Last time I tested to try to clarify the unclear doc, http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcertificatechainfile did not affect the list of trusted CA's, despite the implied overlap, but I also recall other people reporting the exact opposite. -- Eric Covener covener@xxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|