You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by pierre lhostis <pi...@ipdiva.com> on 2005/05/30 17:05:37 UTC

[users@httpd] Mutual Authentication and Certification Authorities

Hello all,

Using:
- Apache          2.0.54-2
- Mozilla firefox 1.0.4-2

I want to use mutual authentication on my http server, and I only want
users with SSL client certificates issued by my Certificate Authority
(named 'myCA' here) to get access to the http server. myCA is a subCA
from a RootCA. I also set up another subCA (named 'AnotherCA') for test
purposes :

RootCA
  |-- MyCA
  |-- AnotherCA

(That is, the Root CA signed the myCA and AnotherCA certificates)

The HTTP SSL Server Certificate I use is also a certificate issued by
myCA.

My SSL Apache config looks like:
...
	ServerName whatever.com
	SSLEngine on

	SSLCipherSuite AES256+RSA:3DES+RSA
	SSLProtocol -SSLv2 +SSLv3
	SSLCertificateFile       /var/test/server.crt
	SSLCertificateKeyFile    /var/test/server.key
	SSLCACertificateFile     /var/test/cabundle.crt
		
	SSLVerifyClient require
	SSLVerifyDepth 2
...

the cabundle.crt file contains the certificates of Root CA and my CA.

On my Mozilla FireFox browser, I made some tests:
- I install a Client SSL certificate issued by MyCA either (alone or
with the RootCA and MyCA certificates going along with it)
  * Mutual Authentication works fine with SSLVerifyDepth = 2.
  * It does not work with SSLVerifyDepth = 1 which is OK.

- Then I install a Client SSL certificate issued by AnotherCA.
  * This certificate is not recognized by my http server when I don't
include the CARoot and AnotherCA certificates in FireFox. OK.
  * otherwise (Firefox got the complete CA Path: CA Root cert., CA
AnotherCA certificate and clientSSL certificate), mutual authentication
works and that is really what I don't want to occur!

In my opinion, my Apache server should never accept this certificate in
any case because it does not know about the AnotherCA's certificate in
its CA Bundle File.
Of course, if I set up SSLVerifyDepth = 1 and giving my http server only
the myCA certificate, then I would be able to filter the AnotherCA
Client certificates, but, on the other hand, I won't be able to check
the Chain Path up to the RootCA, which is not good at all...

Any ideas on what is happening?

Thanks in advance,
Pierre


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org