httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sterpu Victor" <vic...@caido.ro>
Subject Re[2]: [users@httpd] SSL - How client certificates are verified?
Date Sun, 23 Aug 2015 16:41:13 GMT
All clients already have PKCS11 tokens.
It would be too complicated for them to get used with something else.

------ Original Message ------
From: "Marat Khalili" <mkh@rqc.ru>
To: users@httpd.apache.org
Sent: 8/23/2015 7:34:07 PM
Subject: Re: [users@httpd] SSL - How client certificates are verified?

>I see. However, accepting clients certificates from the world 
>recognized authorities is both more expensive (for clients) and more 
>risky than running your own CA (recognized only by your server). If you 
>personally know all your clients it is easier to issue them 
>certificates directly, and revoke them by yourself too if needed.
>-- With Best Regards, Marat Khalili
>On 23/08/2015 18:56, Sterpu Victor wrote:
>>I want to make a page that will authenticate only with PKCS11 tokens.
>>These tokens contain only certificates from a recognized authority.
>>OCSP would be usefull if the token has been declared lost or stolen.
>>But I don't want to make things too complicated.
>>
>>
>>------ Original Message ------
>>From: "Marat Khalili" <mkh@rqc.ru>
>>To: users@httpd.apache.org
>>Sent: 8/23/2015 6:51:02 PM
>>Subject: Re: [users@httpd] SSL - How client certificates are verified?
>>
>>>Hello, what is your scenario? If you issue (sign) client certificates 
>>>yourself, Apache can correctly verify it against local CRL 
>>>(certificate revocation list) file (server restart may be required 
>>>after file update). There's information in the net concerning OCSP 
>>>support for client authentication in newer versions of Apache (google 
>>>SSLOCSPEnable), but I can see no real use for it save for some very 
>>>complicated systems.
>>>-- With Best Regards, Marat Khalili
>>>On 23/08/2015 09:51, Sterpu Victor wrote:
>>>>Hello
>>>>
>>>>I have a web page that asks for client certificate.
>>>>These are the options for this:
>>>>
>>>>SSLVerifyClient require
>>>>SSLVerifyDepth 10
>>>>
>>>>How does SSLVerifyClient  verifies the client certificate?
>>>>This option protects against certificates manual made with a fake 
>>>>public-private key pair?
>>>>So can someoane make a certificate identical with the original, 
>>>>attach another set of public and private keys and pretend to be 
>>>>someoane else?
>>>>
>>>>Thank you
>>>>
>>>>
>>>>--------------------------------------------------------------------------------
>>>>This email has been checked for viruses by Avast antivirus software.
>>>>www.avast.com
>>>>
>>>>
>>>>
>>>>DISCLAIMER:
>>>>Acest mesaj de posta electronica si documentele aferente sunt 
>>>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice 
>>>>alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui 
>>>>mesaj, este interzis sa actionati in baza acestor informatii. 
>>>>Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt 
>>>>mod a informatiei continute in acest mesaj constituie o incalcare a 
>>>>legii. Daca ati primit mesajul din greseala, va rugam sa il 
>>>>distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu 
>>>>poate fi garantat faptul ca posta electronica este un mod sigur si 
>>>>lipsit de erori de transmitere a informatiilor, este 
>>>>responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv 
>>>>documentele alaturate lui) este validat si autorizat spre a fi 
>>>>utilizat in mediul dvs.
>>>>
>>>>
>>>
>>
>>
>>--------------------------------------------------------------------------------
>>This email has been checked for viruses by Avast antivirus software.
>>www.avast.com
>>
>>
>>
>>DISCLAIMER:
>>Acest mesaj de posta electronica si documentele aferente sunt 
>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt 
>>mod de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, 
>>este interzis sa actionati in baza acestor informatii. Citirea, 
>>copierea, distribuirea, dezvaluirea sau utilizarea in alt mod a 
>>informatiei continute in acest mesaj constituie o incalcare a legii. 
>>Daca ati primit mesajul din greseala, va rugam sa il distrugeti, 
>>anuntand expeditorul de eroarea comisa. Intrucat nu poate fi garantat 
>>faptul ca posta electronica este un mod sigur si lipsit de erori de 
>>transmitere a informatiilor, este responsabilitatea dvs. sa va 
>>asigurati ca mesajul (inclusiv documentele alaturate lui) este validat 
>>si autorizat spre a fi utilizat in mediul dvs.
>>
>>
>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


Mime
View raw message