httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: Documentation for Apache httpd SSLVerifyClient considered harmful
Date Wed, 18 Apr 2012 09:03:19 GMT


----- Original Message -----
> 
> On 18/04/2012 05:10, Kyle Hamilton wrote:
> >
> >
> > On Tue, Apr 17, 2012 at 6:57 PM, Eric Covener <covener@gmail.com>
> > wrote:
> >>> For these reasons, the paragraph in question is harmful, and I
> >>> petition that
> >>> it be struck from the documentation.
> >>
> >> How about something to the effect of "optional and optional_no_ca
> >> are
> >> useful if you want to validate the certificate yourself, and
> >> generate
> >> your own friendly error response if there's a problem".
> >>
> >> Or, I'm totally misunderstandng the point.
> >
> > "optional" means that you can either accept a certificate from a
> > particularly-named CA, or you want to handle the 403 yourself.
> > Various browsers (including Safari) will not let you send a
> > certificate from a CA which hasn't been named in this circumstance,
> > and will provide a blank credential selection dialog with "OK"
> > greyed
> > out and "Cancel" selected.  (This feels like "cancel the connection
> > attempt" more than "cancel sending a certificate".)  It is related
> > specifically to TLS/1.0 inability to legally send a blank
> > "acceptable
> > CAs" list.
> >
> > optional_no_ca means that you can accept a certificate from any CA,
> > and you want to handle both the situations where there is no
> > certificate and where there is a certificate from an untrusted CA
> > (both 403) in the application.  This is useful where you care more
> > about the key than the information directly bound to it.  It's also
> > useful when you want to accept self-signed client certificates that
> > contain multiple credential chains, and handle the additional
> > parsing
> > overhead in your application.  This requires TLS/1.1+.
> >
> > optional_no_ca is also the only effective means to handle alternate
> > credential formats which can survive basic X.509 parsing, which
> > again
> > requires TLS/1.1+.
> >
> > -Kyle H
> I actually like Kyle's response here - maybe just add it verbatim?
> Kyle, if you could reword the "none" (trivial) and "require" in the
> same
> style, we can completely replace the whole sentence with a more
> detailed
> explanation.

+1

> Being a user who's looked at client crypto, never really got it
> working,
> and would love to try again, I'd also be interested in a practical
> explanation of how to use "optional_no_ca" to handle the 403 response
> -
> best if it could be used in a CGI environment - and some more
> information (if there is any) on the Safari issue.  Reading your
> paragraph basically (as a user heeding the domain expert) tells me
> "If
> you want to support users on Safari, you're going to have to wrack
> your
> brain for some assbackward solution, or just otherwise give up"
> 
> But I love where this is going.
> 
>   Issac

i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/
GPG: 6880 4155 74BD FD7C B515  2EA5 4B1D 9E08 A097 C9AE


---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org


Mime
View raw message