https://bugzilla.redhat.com/show_bug.cgi?id=719401
mod_nss will accept all certificates from CA's trusted in the certificate database. There is now way to configure that per server.
A patch was included in the original BZ submission.
Have had a similar request to send no CA certs. Note that this isn't possible using SSL_SetTrustAnchors().
Login to comment on this ticket.