httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sterpu Victor" <vic...@caido.ro>
Subject Re[2]: [users@httpd] SSL - How client certificates are verified?
Date Sun, 23 Aug 2015 17:17:47 GMT
Ok.

------ Original Message ------
From: "Marat Khalili" <mkh@rqc.ru>
To: users@httpd.apache.org
Sent: 8/23/2015 8:16:06 PM
Subject: Re: [users@httpd] SSL - How client certificates are verified?

>In this case, could you please post the results when you get the 
>SSLOCSPEnable fixed? I'm particularly interested in performance.
>-- With Best Regards, Marat Khalili
>On 23/08/2015 19:57, Sterpu Victor wrote:
>>There are 4 CAs, at least 1 uses OCSP(only 1 I called).
>>I hope all of them use OCSP, I don't know the legislation but it seems 
>>normal to be required by law.
>>
>>------ Original Message ------
>>From: "Marat Khalili" <mkh@rqc.ru>
>>To: users@httpd.apache.org
>>Sent: 8/23/2015 7:51:14 PM
>>Subject: Re: [users@httpd] SSL - How client certificates are verified?
>>
>>>Oh, I see. In this case you will have to check the status of their 
>>>certificates. Still, I suspect all of the tokens are issued by one 
>>>CA. Probably it is better to ask this CA for their procedures: do 
>>>they use OCSP or just publish CRLs.
>>>-- With Best Regards, Marat Khalili
>>>On 23/08/2015 19:41, Sterpu Victor wrote:
>>>>All clients already have PKCS11 tokens.
>>>>It would be too complicated for them to get used with something 
>>>>else.
>>>>
>>>>------ Original Message ------
>>>>From: "Marat Khalili" <mkh@rqc.ru>
>>>>To: users@httpd.apache.org
>>>>Sent: 8/23/2015 7:34:07 PM
>>>>Subject: Re: [users@httpd] SSL - How client certificates are 
>>>>verified?
>>>>
>>>>>I see. However, accepting clients certificates from the world 
>>>>>recognized authorities is both more expensive (for clients) and 
>>>>>more risky than running your own CA (recognized only by your 
>>>>>server). If you personally know all your clients it is easier to 
>>>>>issue them certificates directly, and revoke them by yourself too 
>>>>>if needed.
>>>>>-- With Best Regards, Marat Khalili
>>>>>On 23/08/2015 18:56, Sterpu Victor wrote:
>>>>>>I want to make a page that will authenticate only with PKCS11 
>>>>>>tokens.
>>>>>>These tokens contain only certificates from a recognized 
>>>>>>authority.
>>>>>>OCSP would be usefull if the token has been declared lost or 
>>>>>>stolen.
>>>>>>But I don't want to make things too complicated.
>>>>>>
>>>>>>
>>>>>>------ Original Message ------
>>>>>>From: "Marat Khalili" <mkh@rqc.ru>
>>>>>>To: users@httpd.apache.org
>>>>>>Sent: 8/23/2015 6:51:02 PM
>>>>>>Subject: Re: [users@httpd] SSL - How client certificates are 
>>>>>>verified?
>>>>>>
>>>>>>>Hello, what is your scenario? If you issue (sign) client 
>>>>>>>certificates yourself, Apache can correctly verify it against

>>>>>>>local CRL (certificate revocation list) file (server restart may

>>>>>>>be required after file update). There's information in the net

>>>>>>>concerning OCSP support for client authentication in newer 
>>>>>>>versions of Apache (google SSLOCSPEnable), but I can see no real

>>>>>>>use for it save for some very complicated systems.
>>>>>>>-- With Best Regards, Marat Khalili
>>>>>>>On 23/08/2015 09:51, Sterpu Victor wrote:
>>>>>>>>Hello
>>>>>>>>
>>>>>>>>I have a web page that asks for client certificate.
>>>>>>>>These are the options for this:
>>>>>>>>
>>>>>>>>SSLVerifyClient require
>>>>>>>>SSLVerifyDepth 10
>>>>>>>>
>>>>>>>>How does SSLVerifyClient  verifies the client certificate?
>>>>>>>>This option protects against certificates manual made with
a 
>>>>>>>>fake public-private key pair?
>>>>>>>>So can someoane make a certificate identical with the original,

>>>>>>>>attach another set of public and private keys and pretend
to be 
>>>>>>>>someoane else?
>>>>>>>>
>>>>>>>>Thank you
>>>>>>>>
>>>>>>>>
>>>>>>>>--------------------------------------------------------------------------------
>>>>>>>>This email has been checked for viruses by Avast antivirus

>>>>>>>>software.
>>>>>>>>www.avast.com
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>DISCLAIMER:
>>>>>>>>Acest mesaj de posta electronica si documentele aferente sunt

>>>>>>>>confidentiale. Este interzisa distribuirea, dezvaluirea sau

>>>>>>>>orice alt mod de utilizare a lor. Daca nu sunteti destinatarul

>>>>>>>>acestui mesaj, este interzis sa actionati in baza acestor

>>>>>>>>informatii. Citirea, copierea, distribuirea, dezvaluirea sau

>>>>>>>>utilizarea in alt mod a informatiei continute in acest mesaj

>>>>>>>>constituie o incalcare a legii. Daca ati primit mesajul din

>>>>>>>>greseala, va rugam sa il distrugeti, anuntand expeditorul
de 
>>>>>>>>eroarea comisa. Intrucat nu poate fi garantat faptul ca posta

>>>>>>>>electronica este un mod sigur si lipsit de erori de transmitere

>>>>>>>>a informatiilor, este responsabilitatea dvs. sa va asigurati
ca 
>>>>>>>>mesajul (inclusiv documentele alaturate lui) este validat
si 
>>>>>>>>autorizat spre a fi utilizat in mediul dvs.
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>--------------------------------------------------------------------------------
>>>>>>This email has been checked for viruses by Avast antivirus 
>>>>>>software.
>>>>>>www.avast.com
>>>>>>
>>>>>>
>>>>>>
>>>>>>DISCLAIMER:
>>>>>>Acest mesaj de posta electronica si documentele aferente sunt 
>>>>>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice

>>>>>>alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui 
>>>>>>mesaj, este interzis sa actionati in baza acestor informatii. 
>>>>>>Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt

>>>>>>mod a informatiei continute in acest mesaj constituie o incalcare

>>>>>>a legii. Daca ati primit mesajul din greseala, va rugam sa il 
>>>>>>distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu 
>>>>>>poate fi garantat faptul ca posta electronica este un mod sigur si

>>>>>>lipsit de erori de transmitere a informatiilor, este 
>>>>>>responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv 
>>>>>>documentele alaturate lui) este validat si autorizat spre a fi 
>>>>>>utilizat in mediul dvs.
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>>--------------------------------------------------------------------------------
>>>>This email has been checked for viruses by Avast antivirus software.
>>>>www.avast.com
>>>>
>>>>
>>>>
>>>>DISCLAIMER:
>>>>Acest mesaj de posta electronica si documentele aferente sunt 
>>>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice 
>>>>alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui 
>>>>mesaj, este interzis sa actionati in baza acestor informatii. 
>>>>Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt 
>>>>mod a informatiei continute in acest mesaj constituie o incalcare a 
>>>>legii. Daca ati primit mesajul din greseala, va rugam sa il 
>>>>distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu 
>>>>poate fi garantat faptul ca posta electronica este un mod sigur si 
>>>>lipsit de erori de transmitere a informatiilor, este 
>>>>responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv 
>>>>documentele alaturate lui) este validat si autorizat spre a fi 
>>>>utilizat in mediul dvs.
>>>>
>>>>
>>>
>>
>>
>>--------------------------------------------------------------------------------
>>This email has been checked for viruses by Avast antivirus software.
>>www.avast.com
>>
>>
>>
>>DISCLAIMER:
>>Acest mesaj de posta electronica si documentele aferente sunt 
>>confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt 
>>mod de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, 
>>este interzis sa actionati in baza acestor informatii. Citirea, 
>>copierea, distribuirea, dezvaluirea sau utilizarea in alt mod a 
>>informatiei continute in acest mesaj constituie o incalcare a legii. 
>>Daca ati primit mesajul din greseala, va rugam sa il distrugeti, 
>>anuntand expeditorul de eroarea comisa. Intrucat nu poate fi garantat 
>>faptul ca posta electronica este un mod sigur si lipsit de erori de 
>>transmitere a informatiilor, este responsabilitatea dvs. sa va 
>>asigurati ca mesajul (inclusiv documentele alaturate lui) este validat 
>>si autorizat spre a fi utilizat in mediul dvs.
>>
>>
>

---
This email has been checked for viruses by Avast antivirus software.
https://www.avast.com/antivirus


Mime
View raw message