Re: mod_ssl Client authentication question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Brian Mearns wrote:
> I just want to double check some things because I implement ssl client
> auth on my server, to make sure I really understand what I'm doing:
>
> First, if I use SSLRequire to check various fields in a client's
> certificate, is it implied that the certificate has already been
> verified as signed by one of the CA's I've defined in
> SSLCACertificateFile, for instance? In other words, this isn't just
> checking that someone made a certificate with the correct DN values,
> right? It's also verifying implicitly that it comes from an approved
> CA? I assume the same is true if I use FakeBasicAuth?
>
> Second, I was trying to test the above question by creating
> self-signed certs, adding them to my browser, and making sure the
> server would not authenticate them. But when I did, my browser
> (Firefox) didn't even provide them as an option for me to use. I know
> this isn't strictly an apache question, but I think this is probably
> because of the "list of acceptable Certificate Authority names" sent
> to the browser by my server...does that sound correct? If this is the
> case, is there a way to get my server to tell the browser than any
> certificate is fine, but still only actually authenticate those signed
> by the appropriate CA's?
>
> Using: Apache/2.2.11 (Unix) mod_ssl/2.2.11 OpenSSL/0.9.8g
>
> Thanks for any help,
> -Brian
>
>   
If your FireFox is version 3, that lack of showing your self signed
certificates could be from the FF developers deciding that self signed
certificates are garbage and making FF ignore them.

Personally, I do not agree with the "trusted" CA list, since it implies
the CA backs the website owner for good business practices, when they do
not endorse websites in that fashion at all.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux