David P. Mott wrote:
> I don't know why I didn't find this in the dozens of Google searches
> that I did *before* I posted my question, but these seem to be what I'm
> looking for:
> SSLCADNRequestFile / SSLCADNRequestPath

Please be aware that Apache/ModSSL uses den SSLCADNRequest-
File / SSLCADNRequestPath only for submitting a list of
accepted CAs to the client. It does not use this for
verification. So: Usually a client will send the certificate
of the requested subCA (even if he has client certificates
from both CAs), but this does not mean that a malicious
client could not send a client certificate of the other
CA. This certificate would be accepted then (because
evaluation of the chain is still done against the certificates
from SSLCACertificateFile. There is no check against the
certificates from SSLCADNRequestFile...

Regards, Olaf


Dipl.Inform. Olaf Gellert INTRUSION-LAB.NET
Senior Researcher, www.intrusion-lab.net
PKI - and IDS - Services olaf.gellert@intrusion-lab.net

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org