httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <John.E.Gr...@wellsfargo.com>
Subject [users@httpd] What verification does Apache do as part of SSLVerifyClient?
Date Wed, 05 Sep 2012 20:32:53 GMT
All,

I'm starting to use SSLVerifyClient.  I can't find any documentation on exactly what it means
to verify a client, however.

By reading the source, I found that some of the work is delegated to OpenSSL and its behavior
is somewhat documented here:  http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html.  When
it says "signatures and issuer attributes are checked," I assume it's checking that the issuer
is trusted and the cert is not expired.  Do you know of anything else?

Also, does Apache itself do anything besides this?  I can't really read the C source well
enough to know (ssl_engine_kernel's ssl_callback_SSLVerify function  seems to be the place.)
 For example, is there anything that checks that the request is coming from the host identified
in the cert?  I assume there is but don't see anything like that in the src.

Thanks

John




Mime
View raw message