On Fri, Jan 16, 2009 at 8:51 AM, Eric Covener <covener@xxxxxxxxx> wrote: >> Second, I was trying to test the above question by creating >> self-signed certs, adding them to my browser, and making sure the >> server would not authenticate them. But when I did, my browser >> (Firefox) didn't even provide them as an option for me to use. I know >> this isn't strictly an apache question, but I think this is probably >> because of the "list of acceptable Certificate Authority names" sent >> to the browser by my server...does that sound correct? If this is the >> case, is there a way to get my server to tell the browser than any >> certificate is fine, but still only actually authenticate those signed >> by the appropriate CA's? > > It has to be an explicit list from the server, and it should be > assembled by virtue of whatever CA's apache trusts via the various > SSL*CA directives. I believe the list is sent as names only, so you > could still do your testing if you had two CA's with the same DN -- > your server would coax the client into sending but ultimately wouldn't > be able to validate the signature. Sounds good, I can fake up another CA easily enough. Thanks for the tip. -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://pgp.mit.edu/ --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx