Does "SSLVerifyDepth 1" actually allow self-signed client certificates?

Does "SSLVerifyDepth 1" actually allow self-signed client certificates?

am 18.12.2007 12:18:03 von pv4

Hi!

I try to use mod_ssl to protect a part of my site from all users except a=
few persons having client certificates signed by my _self-created_ CA ke=
y. I created my ca.crt and signed some csr files with it, and have no pro=
blems accessing the site with those.

I use the following httpd.conf options:
> ...
>
> SSLVerifyClient require
> SSLVerifyDepth 1
> SSLCACertificateFile "/path/to/my/ca.crt"
>
> ...

But apache docs say: "... the default depth of 1 means the client certifi=
cate can be self-signed or has to be signed by a CA which is directly kno=
wn to the server".

That means that _everybody_ can access the private part of my site by jus=
t creating a self-signed certificate and using it to authenticate himself=
/herself.

Then, I wished to check whether it's so bad as the docs say. I created a =
self-signed certificate with the following commands and tried to authoriz=
e using the resulting clt.p12

> openssl genrsa -out clt.pem 1024
> openssl req -new -x509 -key clt.pem -out clt.crt -days 100
> openssl pkcs12 -export -inkey clt.pem -in clt.crt -out clt.p12

and I got error "The presented certificate has an unknown Certificate Aut=
hority." in my browser (opera 9.22). The server logs contained the follow=
ing:

> [error] Certificate Verification: Error (18): self signed certificate
> [error] Re-negotiation handshake failed: Not accepted by client!?

So, I see the docs don't mean what I think they mean... or I'm wrong some=
where (for example, in creating a self-signed certificate or in understan=
ding what "self-signed certificate" means in the context of apache docs).

So, here are the questions:
1. Are the docs correct?
2. Do I correctly understand that in any case (with any value of SSLVerif=
yDepth) everybody will be able to access the private part of my site (sin=
ce everybody can create a self-signed certificate)?
3. If so, why cannot I use self-signed certificate to access my site?
4. Is there a way to gain access to the users with a certificate signed b=
y my ca.crt only?

I use Windows XP, Apache/2.2.6, mod_ssl/2.2.6, OpenSSL/0.9.8e, PHP/5.2.3.

Help me, please...

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org