httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <>
Subject [users@httpd] What verification does Apache do as part of SSLVerifyClient?
Date Wed, 05 Sep 2012 20:32:53 GMT

I'm starting to use SSLVerifyClient.  I can't find any documentation on exactly what it means
to verify a client, however.

By reading the source, I found that some of the work is delegated to OpenSSL and its behavior
is somewhat documented here:  When
it says "signatures and issuer attributes are checked," I assume it's checking that the issuer
is trusted and the cert is not expired.  Do you know of anything else?

Also, does Apache itself do anything besides this?  I can't really read the C source well
enough to know (ssl_engine_kernel's ssl_callback_SSLVerify function  seems to be the place.)
 For example, is there anything that checks that the request is coming from the host identified
in the cert?  I assume there is but don't see anything like that in the src.



View raw message