Eddy Nigg (StartCom Ltd.) wrote:
Rob Crittenden wrote:Yes, mod_nss supports the same environment variables as mod_ssl. http://directory.fedoraproject.org/wiki/Mod_nssI couldn't figure (explicit) from that page that this is the case....
http://directory.fedoraproject.org/docs/mod_nss.html#Environment
Normally mod_nss will not let you start Apache with a bad certificate (expired, not a server cert, etc). NSSEnforceValidCerts lets you override that.OKThere is no equivalent for SSLVerifyDepth. My understanding of how intermediate CAs are evaluated in NSS is admittedly sketchy but I believe it requires all of them to be installed and trusted.That seems to be the most likely explanation - knowing NSS. In client auth however the client mustn't send the full chain (not sure about that?) and the (intermediate) issuer doesn't have to be necessary the same as the one on the server... How can I limit authentication to accept only one specific CA and otherwise fail? I expect here to run into the issue of Mozilla browser selecting the most convenient client certificate by its own by default....
You can probably set up an NSSRequire rule for it:
NSSRequire ( %{SSL_CLIENT_I_DN_O} eq "My CA")
Or something like that.
Since mod_nss is conveniently included in Red Hat / StartCom Enterprise, I'll give it a shot on a test server...
Sure. Let me know if you run into any problems. rob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
