httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mohanavelu Subramanian <mhnv...@gmail.com>
Subject Re: [users@httpd] SSL - How client certificates are verified?
Date Sun, 23 Aug 2015 07:19:13 GMT
Hi,

With the option "SSLVerifyClient require" , server mandates the client to
send its certificate for authentication. Then the server verifies this
client certificate against the CA certificate file configured in apache. If
the client certificate has been signed by a valid CA, then the
authentication is successful.

There are cases where sub CA certificate can be generated from root
certificate. So, this will end up in a hierarchy of CA certificates. The
final sub CA certificate would be used to sign client certificate. With
option "SSLVerifyDepth 10", the server will verify the client certificate
to the level of 10, meaning it will verify from 0 to up the hierarchy 10.
Maximum depth of CA Certificates in Client Certificate verification

When the client sends its fake certificate(not signed by the CA) , the
authentication will fail at server.

Regards,
Mohan

On Sun, Aug 23, 2015 at 12:21 PM, Sterpu Victor <victor@caido.ro> wrote:

> Hello
>
> I have a web page that asks for client certificate.
> These are the options for this:
>
> SSLVerifyClient require
> SSLVerifyDepth 10
>
> How does SSLVerifyClient  verifies the client certificate?
> This option protects against certificates manual made with a fake
> public-private key pair?
> So can someoane make a certificate identical with the original, attach
> another set of public and private keys and pretend to be someoane else?
>
> Thank you
>
>
> ------------------------------
> [image: Avast logo] <https://www.avast.com/antivirus>
>
> This email has been checked for viruses by Avast antivirus software.
> www.avast.com <https://www.avast.com/antivirus>
>
>
>
> *DISCLAIMER: Acest mesaj de posta electronica si documentele aferente sunt
> confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod
> de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este
> interzis sa actionati in baza acestor informatii. Citirea, copierea,
> distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute
> in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din
> greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea
> comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un
> mod sigur si lipsit de erori de transmitere a informatiilor, este
> responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele
> alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.*
>
>

Mime
View raw message