httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sterpu Victor" <vic...@caido.ro>
Subject Re[2]: [users@httpd] SSL - How client certificates are verified?
Date Sun, 23 Aug 2015 16:57:46 GMT
There are 4 CAs, at least 1 uses OCSP(only 1 I called).
I hope all of them use OCSP, I don't know the legislation but it seems 
normal to be required by law.

------ Original Message ------
From: "Marat Khalili" <mkh@rqc.ru>
To: users@httpd.apache.org
Sent: 8/23/2015 7:51:14 PM
Subject: Re: [users@httpd] SSL - How client certificates are verified?

>Oh, I see. In this case you will have to check the status of their 
>certificates. Still, I suspect all of the tokens are issued by one CA. 
>Probably it is better to ask this CA for their procedures: do they use 
>OCSP or just publish CRLs.
>-- With Best Regards, Marat Khalili
>On 23/08/2015 19:41, Sterpu Victor wrote:
>>All clients already have PKCS11 tokens.
>>It would be too complicated for them to get used with something else.
>>
>>------ Original Message ------
>>From: "Marat Khalili" <mkh@rqc.ru>
>>To: users@httpd.apache.org
>>Sent: 8/23/2015 7:34:07 PM
>>Subject: Re: [users@httpd] SSL - How client certificates are verified?
>>
>>>I see. However, accepting clients certificates from the world 
>>>recognized authorities is both more expensive (for clients) and more 
>>>risky than running your own CA (recognized only by your server). If 
>>>you personally know all your clients it is easier to issue them 
>>>certificates directly, and revoke them by yourself too if needed.
>>>-- With Best Regards, Marat Khalili
>>>On 23/08/2015 18:56, Sterpu Victor wrote:
>>>>I want to make a page that will authenticate only with PKCS11 
>>>>tokens.
>>>>These tokens contain only certificates from a recognized authority.
>>>>OCSP would be usefull if the token has been declared lost or stolen.
>>>>But I don't want to make things too complicated.
>>>>
>>>>
>>>>------ Original Message ------
>>>>From: "Marat Khalili" <mkh@rqc.ru>
>>>>To: users@httpd.apache.org
>>>>Sent: 8/23/2015 6:51:02 PM
>>>>Subject: Re: [users@httpd] SSL - How client certificates are 
>>>>verified?
>>>>
>>>>>Hello, what is your scenario? If you issue (sign) client 
>>>>>certificates yourself, Apache can correctly verify it against local 
>>>>>CRL (certificate revocation list) file (server restart may be 
>>>>>required after file update). There's information in the net 
>>>>>concerning OCSP support for client authentication in newer versions 
>>>>>of Apache (google SSLOCSPEnable), but I can see no real use for it 
>>>>>save for some very complicated systems.
>>>>>-- With Best Regards, Marat Khalili
>>>>>On 23/08/2015 09:51, Sterpu Victor wrote:
>>>>>>Hello
>>>>>>
>>>>>>I have a web page that asks for client certificate.
>>>>>>These are the options for this:
>>>>>>
>>>>>>SSLVerifyClient require
>>>>>>SSLVerifyDepth 10
>>>>>>
>>>>>>How does SSLVerifyClient  verifies the client certificate?
>>>>>>This option protects against certificates manual made with a fake

>>>>>>public-private key pair?
>>>>>>So can someoane make a certificate identical with the original, 
>>>>>>attach another set of public and private keys and pretend to be 
>>>>>>someoane else?
>>>>>>
>>>>>>Thank you
>>>>>>
>>>>>>
>>>>>>--------------------------------------------------------------------------------
>>>>>>This email has been checked for viruses by Avast antivirus 
>>>>>>software.
>>>>>>www.avast.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>DISCLAIMER:
>>>>>>Acest mesaj de posta electronica si documentele aferente sunt 
>>>>>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice

>>>>>>alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui 
>>>>>>mesaj, este interzis sa actionati in baza acestor informatii. 
>>>>>>Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt

>>>>>>mod a informatiei continute in acest mesaj constituie o incalcare

>>>>>>a legii. Daca ati primit mesajul din greseala, va rugam sa il 
>>>>>>distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu 
>>>>>>poate fi garantat faptul ca posta electronica este un mod sigur si

>>>>>>lipsit de erori de transmitere a informatiilor, este 
>>>>>>responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv 
>>>>>>documentele alaturate lui) este validat si autorizat spre a fi 
>>>>>>utilizat in mediul dvs.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>--------------------------------------------------------------------------------
>>>>This email has been checked for viruses by Avast antivirus software.
>>>>www.avast.com
>>>>
>>>>
>>>>
>>>>DISCLAIMER:
>>>>Acest mesaj de posta electronica si documentele aferente sunt 
>>>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice 
>>>>alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui 
>>>>mesaj, este interzis sa actionati in baza acestor informatii. 
>>>>Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt 
>>>>mod a informatiei continute in acest mesaj constituie o incalcare a 
>>>>legii. Daca ati primit mesajul din greseala, va rugam sa il 
>>>>distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu 
>>>>poate fi garantat faptul ca posta electronica este un mod sigur si 
>>>>lipsit de erori de transmitere a informatiilor, este 
>>>>responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv 
>>>>documentele alaturate lui) este validat si autorizat spre a fi 
>>>>utilizat in mediul dvs.
>>>>
>>>>
>>>
>>
>>
>>--------------------------------------------------------------------------------
>>This email has been checked for viruses by Avast antivirus software.
>>www.avast.com
>>
>>
>>
>>DISCLAIMER:
>>Acest mesaj de posta electronica si documentele aferente sunt 
>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt 
>>mod de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, 
>>este interzis sa actionati in baza acestor informatii. Citirea, 
>>copierea, distribuirea, dezvaluirea sau utilizarea in alt mod a 
>>informatiei continute in acest mesaj constituie o incalcare a legii. 
>>Daca ati primit mesajul din greseala, va rugam sa il distrugeti, 
>>anuntand expeditorul de eroarea comisa. Intrucat nu poate fi garantat 
>>faptul ca posta electronica este un mod sigur si lipsit de erori de 
>>transmitere a informatiilor, este responsabilitatea dvs. sa va 
>>asigurati ca mesajul (inclusiv documentele alaturate lui) este validat 
>>si autorizat spre a fi utilizat in mediul dvs.
>>
>>
>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


Mime
View raw message