What verification does Apache do as part of SSLVerifyClient?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: <users@xxxxxxxxxxxxxxxx>
Subject: What verification does Apache do as part of SSLVerifyClient?
From: <John.E.Gregg@xxxxxxxxxxxxxx>
Date: Wed, 5 Sep 2012 15:32:53 -0500
Accept-language: en-US
Acceptlanguage: en-US
Reply-to: users@xxxxxxxxxxxxxxxx
Thread-index: Ac2LpaAHs9VyG13zSXm7SYCtSfyP1Q==
Thread-topic: What verification does Apache do as part of SSLVerifyClient?

All,

I’m starting to use SSLVerifyClient. I can’t find any documentation on exactly what it means to verify a client, however.

By reading the source, I found that some of the work is delegated to OpenSSL and its behavior is somewhat documented here: http://www.openssl.org/docs/ssl/SSL_CTX_set_verify.html. When it says “signatures and issuer attributes are checked,” I assume it’s checking that the issuer is trusted and the cert is not expired. Do you know of anything else?

Also, does Apache itself do anything besides this? I can’t really read the C source well enough to know (ssl_engine_kernel’s ssl_callback_SSLVerify function seems to be the place.) For example, is there anything that checks that the request is coming from the host identified in the cert? I assume there is but don’t see anything like that in the src.

Thanks

John

Follow-Ups:
- Re: What verification does Apache do as part of SSLVerifyClient?
  - From: Mark Montague

Prev by Date: Problem in configuring "WebDAV" on Debian Squeeze
Next by Date: Re: What verification does Apache do as part of SSLVerifyClient?
Previous by thread: Problem in configuring "WebDAV" on Debian Squeeze
Next by thread: Re: What verification does Apache do as part of SSLVerifyClient?
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]