httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Subhasis Rath <rath.subha...@gmail.com>
Subject Re: [users@httpd] How to ignore common name during client certificate verification?
Date Fri, 16 Jul 2010 02:41:21 GMT
All Apache needs is to trust the CA which issued the client cert



SR

On Thu, Jul 15, 2010 at 10:29 PM, galaft wang <galaft@gmail.com> wrote:

> Hi,
>
> I am not sure I got your idea...Do you mean: with such configuration:
> "SSLEngine on and SSLVerifyClient require", Apache doesn't deny request from
> client whose IP(or FQDN) doesn't match its certificate CN?
>
> But according to my experiments, Apache will deny request with such
> configuration.
>
> Could you please tell me more details about "SSLVerifyClient require". How
> does mod_ssl verify client certificate? There are many content in a
> certificate, e.g. Issuer, Time Validity, Subject CN, Subject Public Key
> Info, etc. Will Apache verify each content?
>
>
> Br, Jason
>
>
> On Wed, Jul 14, 2010 at 6:59 PM, Eric Covener <covener@gmail.com> wrote:
>
>> On Tue, Jul 13, 2010 at 10:21 PM, galaft wang <galaft@gmail.com> wrote:
>> > Hi,
>> > Normally, CN would be IP address of the client, if client IP do not
>> match
>> > its certificate CN, Apache would deny its request. This is used in
>> highly
>> > secured network.
>>
>> Not with just SSLEngine on and SSLVerifyClient require it doesn't.
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>

Mime
View raw message