httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] SSL - How client certificates are verified?
Date Sun, 23 Aug 2015 17:16:06 GMT
In this case, could you please post the results when you get the 
SSLOCSPEnable fixed? I'm particularly interested in performance.

--

With Best Regards,
Marat Khalili

On 23/08/2015 19:57, Sterpu Victor wrote:
> There are 4 CAs, at least 1 uses OCSP(only 1 I called).
> I hope all of them use OCSP, I don't know the legislation but it seems 
> normal to be required by law.
> ------ Original Message ------
> From: "Marat Khalili" <mkh@rqc.ru <mailto:mkh@rqc.ru>>
> To: users@httpd.apache.org <mailto:users@httpd.apache.org>
> Sent: 8/23/2015 7:51:14 PM
> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>> Oh, I see. In this case you will have to check the status of their 
>> certificates. Still, I suspect all of the tokens are issued by one 
>> CA. Probably it is better to ask this CA for their procedures: do 
>> they use OCSP or just publish CRLs.
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 23/08/2015 19:41, Sterpu Victor wrote:
>>> All clients already have PKCS11 tokens.
>>> It would be too complicated for them to get used with something else.
>>> ------ Original Message ------
>>> From: "Marat Khalili" <mkh@rqc.ru <mailto:mkh@rqc.ru>>
>>> To: users@httpd.apache.org <mailto:users@httpd.apache.org>
>>> Sent: 8/23/2015 7:34:07 PM
>>> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>>>> I see. However, accepting clients certificates from the world 
>>>> recognized authorities is both more expensive (for clients) and 
>>>> more risky than running your own CA (recognized only by your 
>>>> server). If you personally know all your clients it is easier to 
>>>> issue them certificates directly, and revoke them by yourself too 
>>>> if needed.
>>>> --
>>>>
>>>> With Best Regards,
>>>> Marat Khalili
>>>>
>>>> On 23/08/2015 18:56, Sterpu Victor wrote:
>>>>> I want to make a page that will authenticate only with PKCS11 tokens.
>>>>> These tokens contain only certificates from a recognized authority.
>>>>> OCSP would be usefull if the token has been declared lost or stolen.
>>>>> But I don't want to make things too complicated.
>>>>> ------ Original Message ------
>>>>> From: "Marat Khalili" <mkh@rqc.ru <mailto:mkh@rqc.ru>>
>>>>> To: users@httpd.apache.org <mailto:users@httpd.apache.org>
>>>>> Sent: 8/23/2015 6:51:02 PM
>>>>> Subject: Re: [users@httpd] SSL - How client certificates are verified?
>>>>>> Hello, what is your scenario? If you issue (sign) client 
>>>>>> certificates yourself, Apache can correctly verify it against 
>>>>>> local CRL (certificate revocation list) file (server restart may

>>>>>> be required after file update). There's information in the net 
>>>>>> concerning OCSP support for client authentication in newer 
>>>>>> versions of Apache (google SSLOCSPEnable), but I can see no real

>>>>>> use for it save for some very complicated systems.
>>>>>> --
>>>>>>
>>>>>> With Best Regards,
>>>>>> Marat Khalili
>>>>>>
>>>>>> On 23/08/2015 09:51, Sterpu Victor wrote:
>>>>>>> Hello
>>>>>>> I have a web page that asks for client certificate.
>>>>>>> These are the options for this:
>>>>>>> SSLVerifyClient require
>>>>>>> SSLVerifyDepth 10
>>>>>>>
>>>>>>> How does SSLVerifyClient verifies the client certificate?
>>>>>>> This option protects against certificates manual made with a

>>>>>>> fake public-private key pair?
>>>>>>> So can someoane make a certificate identical with the original,

>>>>>>> attach another set of public and private keys and pretend to
be 
>>>>>>> someoane else?
>>>>>>> Thank you
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------------------
>>>>>>> Avast logo <https://www.avast.com/antivirus> 	
>>>>>>>
>>>>>>> This email has been checked for viruses by Avast antivirus 
>>>>>>> software.
>>>>>>> www.avast.com <https://www.avast.com/antivirus>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> /*DISCLAIMER*:
>>>>>>> Acest mesaj de posta electronica si documentele aferente sunt

>>>>>>> confidentiale. Este interzisa distribuirea, dezvaluirea sau 
>>>>>>> orice alt mod de utilizare a lor. Daca nu sunteti destinatarul

>>>>>>> acestui mesaj, este interzis sa actionati in baza acestor 
>>>>>>> informatii. Citirea, copierea, distribuirea, dezvaluirea sau

>>>>>>> utilizarea in alt mod a informatiei continute in acest mesaj

>>>>>>> constituie o incalcare a legii. Daca ati primit mesajul din 
>>>>>>> greseala, va rugam sa il distrugeti, anuntand expeditorul de

>>>>>>> eroarea comisa. Intrucat nu poate fi garantat faptul ca posta

>>>>>>> electronica este un mod sigur si lipsit de erori de transmitere

>>>>>>> a informatiilor, este responsabilitatea dvs. sa va asigurati
ca 
>>>>>>> mesajul (inclusiv documentele alaturate lui) este validat si

>>>>>>> autorizat spre a fi utilizat in mediul dvs./
>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> Avast logo <https://www.avast.com/antivirus> 	
>>>>>
>>>>> This email has been checked for viruses by Avast antivirus software.
>>>>> www.avast.com <https://www.avast.com/antivirus>
>>>>>
>>>>>
>>>>>
>>>>> /*DISCLAIMER*:
>>>>> Acest mesaj de posta electronica si documentele aferente sunt 
>>>>> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice 
>>>>> alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui 
>>>>> mesaj, este interzis sa actionati in baza acestor informatii. 
>>>>> Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt 
>>>>> mod a informatiei continute in acest mesaj constituie o incalcare 
>>>>> a legii. Daca ati primit mesajul din greseala, va rugam sa il 
>>>>> distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu 
>>>>> poate fi garantat faptul ca posta electronica este un mod sigur si 
>>>>> lipsit de erori de transmitere a informatiilor, este 
>>>>> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv 
>>>>> documentele alaturate lui) este validat si autorizat spre a fi 
>>>>> utilizat in mediul dvs./
>>>>>
>>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------
>>> Avast logo <https://www.avast.com/antivirus> 	
>>>
>>> This email has been checked for viruses by Avast antivirus software.
>>> www.avast.com <https://www.avast.com/antivirus>
>>>
>>>
>>>
>>> /*DISCLAIMER*:
>>> Acest mesaj de posta electronica si documentele aferente sunt 
>>> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice 
>>> alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui 
>>> mesaj, este interzis sa actionati in baza acestor informatii. 
>>> Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt 
>>> mod a informatiei continute in acest mesaj constituie o incalcare a 
>>> legii. Daca ati primit mesajul din greseala, va rugam sa il 
>>> distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu 
>>> poate fi garantat faptul ca posta electronica este un mod sigur si 
>>> lipsit de erori de transmitere a informatiilor, este 
>>> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv 
>>> documentele alaturate lui) este validat si autorizat spre a fi 
>>> utilizat in mediul dvs./
>>>
>>>
>>
>
>
> ------------------------------------------------------------------------
> Avast logo <https://www.avast.com/antivirus> 	
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> /*DISCLAIMER*:
> Acest mesaj de posta electronica si documentele aferente sunt 
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt 
> mod de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, 
> este interzis sa actionati in baza acestor informatii. Citirea, 
> copierea, distribuirea, dezvaluirea sau utilizarea in alt mod a 
> informatiei continute in acest mesaj constituie o incalcare a legii. 
> Daca ati primit mesajul din greseala, va rugam sa il distrugeti, 
> anuntand expeditorul de eroarea comisa. Intrucat nu poate fi garantat 
> faptul ca posta electronica este un mod sigur si lipsit de erori de 
> transmitere a informatiilor, este responsabilitatea dvs. sa va 
> asigurati ca mesajul (inclusiv documentele alaturate lui) este validat 
> si autorizat spre a fi utilizat in mediul dvs./
>
>


Mime
View raw message