You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by galaft wang <ga...@gmail.com> on 2010/07/13 09:23:03 UTC
[users@httpd] How to ignore common name during client certificate
verification?
Hi,
As we know, directive SSLVerifyClient in mod_ssl can be used for Client
Authentication
SSLVerifyClient require
It means the client *has to* present a valid Certificate
However, for specific purpose, I only want to verify: whether client's
certificate is issued by trusted CA.
I do not want to verify common name in client's certificate.
In another word, if the client certificate is issued by trusted CA, even its
common name is not matched, we can also consider this client certificate is
valid.
How to configure Apache for such purpose? Thanks!
Br,
Jason
Re: [users@httpd] How to ignore common name during client certificate
verification?
Posted by Subhasis Rath <ra...@gmail.com>.
All Apache needs is to trust the CA which issued the client cert
SR
On Thu, Jul 15, 2010 at 10:29 PM, galaft wang <ga...@gmail.com> wrote:
> Hi,
>
> I am not sure I got your idea...Do you mean: with such configuration:
> "SSLEngine on and SSLVerifyClient require", Apache doesn't deny request from
> client whose IP(or FQDN) doesn't match its certificate CN?
>
> But according to my experiments, Apache will deny request with such
> configuration.
>
> Could you please tell me more details about "SSLVerifyClient require". How
> does mod_ssl verify client certificate? There are many content in a
> certificate, e.g. Issuer, Time Validity, Subject CN, Subject Public Key
> Info, etc. Will Apache verify each content?
>
>
> Br, Jason
>
>
> On Wed, Jul 14, 2010 at 6:59 PM, Eric Covener <co...@gmail.com> wrote:
>
>> On Tue, Jul 13, 2010 at 10:21 PM, galaft wang <ga...@gmail.com> wrote:
>> > Hi,
>> > Normally, CN would be IP address of the client, if client IP do not
>> match
>> > its certificate CN, Apache would deny its request. This is used in
>> highly
>> > secured network.
>>
>> Not with just SSLEngine on and SSLVerifyClient require it doesn't.
>>
>>
>> --
>> Eric Covener
>> covener@gmail.com
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
Re: [users@httpd] How to ignore common name during client certificate
verification?
Posted by galaft wang <ga...@gmail.com>.
Hi,
I am not sure I got your idea...Do you mean: with such configuration:
"SSLEngine on and SSLVerifyClient require", Apache doesn't deny request from
client whose IP(or FQDN) doesn't match its certificate CN?
But according to my experiments, Apache will deny request with such
configuration.
Could you please tell me more details about "SSLVerifyClient require". How
does mod_ssl verify client certificate? There are many content in a
certificate, e.g. Issuer, Time Validity, Subject CN, Subject Public Key
Info, etc. Will Apache verify each content?
Br, Jason
On Wed, Jul 14, 2010 at 6:59 PM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Jul 13, 2010 at 10:21 PM, galaft wang <ga...@gmail.com> wrote:
> > Hi,
> > Normally, CN would be IP address of the client, if client IP do not match
> > its certificate CN, Apache would deny its request. This is used in highly
> > secured network.
>
> Not with just SSLEngine on and SSLVerifyClient require it doesn't.
>
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] How to ignore common name during client certificate
verification?
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jul 13, 2010 at 10:21 PM, galaft wang <ga...@gmail.com> wrote:
> Hi,
> Normally, CN would be IP address of the client, if client IP do not match
> its certificate CN, Apache would deny its request. This is used in highly
> secured network.
Not with just SSLEngine on and SSLVerifyClient require it doesn't.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] How to ignore common name during client certificate
verification?
Posted by galaft wang <ga...@gmail.com>.
Hi,
Normally, CN would be IP address of the client, if client IP do not match
its certificate CN, Apache would deny its request. This is used in highly
secured network.
But we do not need such strict security configuration, we just need to
verify whether the client certificate is issued by trusted CA. If yes,
accept client, if not, deny client.
So, I just need to verify client certificates "partly", what can I do?
Br,
Jason
On Tue, Jul 13, 2010 at 7:12 PM, Eric Covener <co...@gmail.com> wrote:
> On Tue, Jul 13, 2010 at 3:23 AM, galaft wang <ga...@gmail.com> wrote:
> > Hi,
> >
> > As we know, directive SSLVerifyClient in mod_ssl can be used for Client
> > Authentication
> >
> > SSLVerifyClient require
> >
> > It means the client has to present a valid Certificate
> >
> > However, for specific purpose, I only want to verify: whether client's
> > certificate is issued by trusted CA.
> > I do not want to verify common name in client's certificate.
> > In another word, if the client certificate is issued by trusted CA, even
> its
> > common name is not matched, we can also consider this client certificate
> is
> > valid.
>
> What does mod_ssl match the CN of a client certificate against?
>
> --
> Eric Covener
> covener@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] How to ignore common name during client certificate
verification?
Posted by Eric Covener <co...@gmail.com>.
On Tue, Jul 13, 2010 at 3:23 AM, galaft wang <ga...@gmail.com> wrote:
> Hi,
>
> As we know, directive SSLVerifyClient in mod_ssl can be used for Client
> Authentication
>
> SSLVerifyClient require
>
> It means the client has to present a valid Certificate
>
> However, for specific purpose, I only want to verify: whether client's
> certificate is issued by trusted CA.
> I do not want to verify common name in client's certificate.
> In another word, if the client certificate is issued by trusted CA, even its
> common name is not matched, we can also consider this client certificate is
> valid.
What does mod_ssl match the CN of a client certificate against?
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org