httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From galaft wang <gal...@gmail.com>
Subject Re: [users@httpd] How to ignore common name during client certificate verification?
Date Fri, 16 Jul 2010 02:29:25 GMT
Hi,

I am not sure I got your idea...Do you mean: with such configuration:
"SSLEngine on and SSLVerifyClient require", Apache doesn't deny request from
client whose IP(or FQDN) doesn't match its certificate CN?

But according to my experiments, Apache will deny request with such
configuration.

Could you please tell me more details about "SSLVerifyClient require". How
does mod_ssl verify client certificate? There are many content in a
certificate, e.g. Issuer, Time Validity, Subject CN, Subject Public Key
Info, etc. Will Apache verify each content?


Br, Jason


On Wed, Jul 14, 2010 at 6:59 PM, Eric Covener <covener@gmail.com> wrote:

> On Tue, Jul 13, 2010 at 10:21 PM, galaft wang <galaft@gmail.com> wrote:
> > Hi,
> > Normally, CN would be IP address of the client, if client IP do not match
> > its certificate CN, Apache would deny its request. This is used in highly
> > secured network.
>
> Not with just SSLEngine on and SSLVerifyClient require it doesn't.
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message