[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modssl
Subject: =?koi8-r?Q?Does_=22SSLVerifyDepth_1=22_actually_allow_self-signed_client_certificates=3F?=
From: "Vladimir A. Pavlov" <pv4 () bk ! ru>
Date: 2007-12-18 11:18:03
Message-ID: E1J4aSZ-0009Ne-00.pv4-bk-ru () f75 ! mail ! ru
[Download RAW message or body]
Hi!
I try to use mod_ssl to protect a part of my site from all users except a few persons \
having client certificates signed by my _self-created_ CA key. I created my ca.crt \
and signed some csr files with it, and have no problems accessing the site with \
those.
I use the following httpd.conf options:
> ...
> <Location /private>
> SSLVerifyClient require
> SSLVerifyDepth 1
> SSLCACertificateFile "/path/to/my/ca.crt"
> </Location>
> ...
But apache docs say: "... the default depth of 1 means the client certificate can be \
self-signed or has to be signed by a CA which is directly known to the server".
That means that _everybody_ can access the private part of my site by just creating a \
self-signed certificate and using it to authenticate himself/herself.
Then, I wished to check whether it's so bad as the docs say. I created a self-signed \
certificate with the following commands and tried to authorize using the resulting \
clt.p12
> openssl genrsa -out clt.pem 1024
> openssl req -new -x509 -key clt.pem -out clt.crt -days 100
> openssl pkcs12 -export -inkey clt.pem -in clt.crt -out clt.p12
and I got error "The presented certificate has an unknown Certificate Authority." in \
my browser (opera 9.22). The server logs contained the following:
> [error] Certificate Verification: Error (18): self signed certificate
> [error] Re-negotiation handshake failed: Not accepted by client!?
So, I see the docs don't mean what I think they mean... or I'm wrong somewhere (for \
example, in creating a self-signed certificate or in understanding what "self-signed \
certificate" means in the context of apache docs).
So, here are the questions:
1. Are the docs correct?
2. Do I correctly understand that in any case (with any value of SSLVerifyDepth) \
everybody will be able to access the private part of my site (since everybody can \
create a self-signed certificate)? 3. If so, why cannot I use self-signed certificate \
to access my site? 4. Is there a way to gain access to the users with a certificate \
signed by my ca.crt only?
I use Windows XP, Apache/2.2.6, mod_ssl/2.2.6, OpenSSL/0.9.8e, PHP/5.2.3.
Help me, please...
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic