I've found myself in the same quandary as this guy [1]. My CA
structure is as follows.

- RootCA
- SubCA1
- SubCA1 Server
- SubCA1 Clients
- SubCA2
- SubCA2 Server
- SubCA2 Clients

I have two HTTPS vhost containers. One which has a server certificate
issued by SubCA1 and should only accept client certificates from
SubCA1. Likewise, another for SubCA2, which should only accept client
certificates from SubCA2.

The only way I seem to reliably [2] allow IE and Firefox clients to
connect to their respective servers is, in the instance of the first
vhost, to reference RootCA + SubCA1 in SSLCACertificateFile and set
SSLCACertificateFile to 2. However in the following scenarios clients
with SubCA2 certificates are also able to connect, which would appear
to negate the crux of SSLVerifyClient.

a) Using openssl s_client with a client certificate on SubCA2 and
-CAfile referencing RootCA + SubCA2 succeeds.

b) Using Firefox with a client certificate on SubCA2 to connect to the
SubCA2 hostname and once loaded then changing to the SubCA1 hostname
also succeeds.

I see that there's been the addition of the SSLCADNRequestFile
directive in Apache 2.2.x, but I don't see how this relates to this
particular problem. I also understand that I could narrow the problem
by using SSLRequire directives and the %{SSL_CLIENT_I_DN} variable,
but this seems a hackish solution to something that should be handled
by SSLCACertificateFile alone. Is this a bug?

Any advice is appreciated. I can provide further details about my
Apache configs or logs if required.

Regards,


[1] http://www.mail-archive.com/modssl-u.../msg17546.html
[2] Without, like the aforementioned poster, receiving "unable to get
issuer certificate" or Verify Depth errors
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org