RE: [users@httpd] SSLVerifyDepth and Intermediate CAs

["TAYLOR, TIM (CONTRACTOR)" <TI...@DFAS.MIL>]

Barret,

You need to use Apache 2.2 or above. See the new directives
SSLCADNRequestFile and SSLCADNRequestPath for details at
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcadnrequestfile 

If you must use older versions of Apache, I did create a patch for mod_ssl
2.8.22 which is used by Apache 1.3.33 and Apache 2.0.52 but you will have to
get those from me.

Verify depth is not your problem. There was a spec bug in mod_ssl. What you
want is allowed for in the SSL v3/TLS v1.0 draft/spec and fully support by
OpenSSL, but was not supported by mod_ssl design. In general, you don't want
the verify depth arbitrarily high for security reasons. I keep mine around
three or four. As you found, a depth of one will never work for trust with
intermediate CA's because there is no room to reach the necessary anchor.

Post again here if you need a patch to the old stuff.

regards,
TT


-----Original Message-----
From: Rhoden, Barret J. Mr. CN (NGIT) HQ USAREUR/7A CIO G6
[mailto:barret.rhoden@us.army.mil] 
Sent: Monday, September 25, 2006 7:28 AM
To: 'users@httpd.apache.org'
Subject: [users@httpd] SSLVerifyDepth and Intermediate CAs

hi - 

when using certificate authentication for clients, does the certificate in
the approved SSLCACertificatePath (or List) have to be a self-signed
certificate?

i would like to be able to explicitly trust specific, intermediate CAs,
instead of the root CA and every intermediate CA that root CA signs.  i
tried setting SSLVerifyDepth to 1, and put the intermediate CA's cert in the
appropriate path, but the only way apache seems to accept a client
certificate is if the depth reaches the root cert, and the root cert is in
the path.

if this is working as intended, can someone (me?) add a note to the
documentation saying that (unless it was supposed to be intuitively obvious
to the casual observer).  if not, what pitfalls might i have stumbled into?

thanks in advance,

barret