httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel <dferra...@gmail.com>
Subject Re: [users@httpd] SSL Certificate Validation
Date Thu, 08 Feb 2018 10:37:42 GMT
Hello Nizar,

You need to provide much more info on your current setup so we can provide
any meaningful advice. Which SSL verification? What configuration?

Regarding httpd what's needed in config, the basic thing to have
"SSLVerifyClient require" and a list of accepted CA's but that could be
overriden in config, that's why you need to show your actual setup or more
relevant info.
As an added note, if you have real concerns regarding security one of the
best things to do is probably to consider upgrading your openssl version
which seems ancient.

2018-02-08 7:16 GMT+01:00 Belmona, Nizar <nbelmona@cscgroup.com>:

> Dear users,
>
> We are currently using Apache 2.2.22 (mod_ssl 2.2.22, OpenSSL/0.9.8t) and
> we have a security concern since developers are able to bypass the SSL
> certificate verification when using HTTPS calls. Kindly advise what
> configuration is needed to enforce the certificate verification? In other
> words should anyone tries to bypass this verification, the call fails
> returning some kind of error code.
>
> Please note that our environment is a simple one; it consists of one web
> server with no proxies.
>
>
>
> Your help is greatly appreciated.
>
>
>
> Regards,
>
>
> Nizar Belmona
> Deputy Section Head
> Card Management System Department *|* CSCBank SAL
> *t* +961 1 742555 <+961%201%20742%20555> | *ext.* 1647 |* f* +961 1 352281
> <+961%201%20352%20281>
> *e* nbelmona@cscgroup.com | *w* www.cscgroup.com
> 150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon
>  Save a tree. Please consider the environment before printing this email.
>
>


-- 
*Daniel Ferradal*
IT Specialist

email         dferradal at gmail.com
linkedin     es.linkedin.com/in/danielferradal

Mime
View raw message