Correct use of SSLVerifyClient and Sub-Ordinate CAs

I've found myself in the same quandary as this guy [1]. My CA
structure is as follows.

- RootCA
- SubCA1
- SubCA1 Server
- SubCA1 Clients
- SubCA2
- SubCA2 Server
- SubCA2 Clients

I have two HTTPS vhost containers. One which has a server certificate
issued by SubCA1 and should only accept client certificates from
SubCA1. Likewise, another for SubCA2, which should only accept client
certificates from SubCA2.

The only way I seem to reliably [2] allow IE and Firefox clients to
connect to their respective servers is, in the instance of the first
vhost, to reference RootCA + SubCA1 in SSLCACertificateFile and set
SSLCACertificateFile to 2. However in the following scenarios clients
with SubCA2 certificates are also able to connect, which would appear
to negate the crux of SSLVerifyClient.

a) Using openssl s_client with a client certificate on SubCA2 and
-CAfile referencing RootCA + SubCA2 succeeds.

b) Using Firefox with a client certificate on SubCA2 to connect to the
SubCA2 hostname and once loaded then changing to the SubCA1 hostname
also succeeds.

I see that there's been the addition of the SSLCADNRequestFile
directive in Apache 2.2.x, but I don't see how this relates to this
particular problem. I also understand that I could narrow the problem
by using SSLRequire directives and the %{SSL_CLIENT_I_DN} variable,
but this seems a hackish solution to something that should be handled
by SSLCACertificateFile alone. Is this a bug?

Any advice is appreciated. I can provide further details about my
Apache configs or logs if required.

Regards,


[1] http://www.mail-archive.com/modssl-users@modssl.org/msg17546 .html
[2] Without, like the aforementioned poster, receiving "unable to get
issuer certificate" or Verify Depth errors
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Correct use of SSLVerifyClient and Sub-Ordinate CAs

------=_Part_347_2769900.1197629037888
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Nov 19, 2007 9:24 AM, Anony Mouse wrote:

> I see that there's been the addition of the SSLCADNRequestFile
> directive in Apache 2.2.x, but I don't see how this relates to this
> particular problem. I also understand that I could narrow the problem
> by using SSLRequire directives and the %{SSL_CLIENT_I_DN} variable,
> but this seems a hackish solution to something that should be handled
> by SSLCACertificateFile alone. Is this a bug?
>
> Any advice is appreciated. I can provide further details about my
> Apache configs or logs if required.


Nobody?

Regards,

------=_Part_347_2769900.1197629037888
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

On Nov 19, 2007 9:24 AM, Anony Mouse <> wrote:

Re: Correct use of SSLVerifyClient and Sub-Ordinate CAs

On Mon, Nov 19, 2007 at 09:24:09AM +0000, Anony Mouse wrote:
> I've found myself in the same quandary as this guy [1]. My CA
> structure is as follows.
>
> - RootCA
> - SubCA1
> - SubCA1 Server
> - SubCA1 Clients
> - SubCA2
> - SubCA2 Server
> - SubCA2 Clients
>
> I have two HTTPS vhost containers. One which has a server certificate
> issued by SubCA1 and should only accept client certificates from
> SubCA1. Likewise, another for SubCA2, which should only accept client
> certificates from SubCA2.

I think this should work by using:

SSLCertificateChainFile rootca

SSLCACertificateFile SubCA1


SSLCACertificateFile SubCA2


joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org