httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sterpu Victor" <>
Subject Re[2]: [users@httpd] SSL - How client certificates are verified?
Date Sun, 23 Aug 2015 15:55:32 GMT
I want to make a page that will authenticate only with PKCS11 tokens.
These tokens contain only certificates from a recognized authority.
OCSP would be usefull if the token has been declared lost or stolen.
But I don't want to make things too complicated.

------ Original Message ------
From: "Marat Khalili" <>
Sent: 8/23/2015 6:51:02 PM
Subject: Re: [users@httpd] SSL - How client certificates are verified?

>Hello, what is your scenario? If you issue (sign) client certificates 
>yourself, Apache can correctly verify it against local CRL (certificate 
>revocation list) file (server restart may be required after file 
>update). There's information in the net concerning OCSP support for 
>client authentication in newer versions of Apache (google 
>SSLOCSPEnable), but I can see no real use for it save for some very 
>complicated systems.
>-- With Best Regards, Marat Khalili
>On 23/08/2015 09:51, Sterpu Victor wrote:
>>I have a web page that asks for client certificate.
>>These are the options for this:
>>SSLVerifyClient require
>>SSLVerifyDepth 10
>>How does SSLVerifyClient  verifies the client certificate?
>>This option protects against certificates manual made with a fake 
>>public-private key pair?
>>So can someoane make a certificate identical with the original, attach 
>>another set of public and private keys and pretend to be someoane 
>>Thank you
>>This email has been checked for viruses by Avast antivirus software.
>>Acest mesaj de posta electronica si documentele aferente sunt 
>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt 
>>mod de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, 
>>este interzis sa actionati in baza acestor informatii. Citirea, 
>>copierea, distribuirea, dezvaluirea sau utilizarea in alt mod a 
>>informatiei continute in acest mesaj constituie o incalcare a legii. 
>>Daca ati primit mesajul din greseala, va rugam sa il distrugeti, 
>>anuntand expeditorul de eroarea comisa. Intrucat nu poate fi garantat 
>>faptul ca posta electronica este un mod sigur si lipsit de erori de 
>>transmitere a informatiilor, este responsabilitatea dvs. sa va 
>>asigurati ca mesajul (inclusiv documentele alaturate lui) este validat 
>>si autorizat spre a fi utilizat in mediul dvs.

This email has been checked for viruses by Avast antivirus software.

View raw message