Oh, good call!

So, now I'm looking at:

* SSLCACertificateFile, to hold all of the certificates that I would
authenticate against;
* SSLCADNRequestFile, to send an acceptable list of certificates to the
client;
* SSLRequire, to prevent malicious clients from sending me a certificate
that would validate against a CA higher up the chain than what I want.

I'd probably have researched the SSLRequire part of it anway; all of our
production Apache servers are 2.0.x, which don't support the
SSLCADNRequestFile directive. Until they can be upgraded, I'll want to
prevent the use of an inappropriate certificate.

Thanks for taking the time to respond to this issue.

-dpmott

On Tue, 24 Apr 2007, Olaf Gellert wrote:

> David P. Mott wrote:
>>
>> I don't know why I didn't find this in the dozens of Google searches
>> that I did *before* I posted my question, but these seem to be what I'm
>> looking for:
>>
>> SSLCADNRequestFile / SSLCADNRequestPath

>
> Please be aware that Apache/ModSSL uses den SSLCADNRequest-
> File / SSLCADNRequestPath only for submitting a list of
> accepted CAs to the client. It does not use this for
> verification. So: Usually a client will send the certificate
> of the requested subCA (even if he has client certificates
> from both CAs), but this does not mean that a malicious
> client could not send a client certificate of the other
> CA. This certificate would be accepted then (because
> evaluation of the chain is still done against the certificates
> from SSLCACertificateFile. There is no check against the
> certificates from SSLCADNRequestFile...
>
> Regards, Olaf
>

__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org