Re[2]: SSL - How client certificates are verified?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I'm not sure I got this right, this is what I was thinking:
- client sends his certificate, with the public key included; the certificate contains a signature of the client certificate made with the private key of the CA;
- apache server has the public key of the CA and can check the signature of the CA
Is this right?
 
Does this check includes OCSP verification? If not can this be done from apache?
 
Thank you.
 
------ Original Message ------
From: "Mohanavelu Subramanian" <mhnvelu@xxxxxxxxx>
To: users@xxxxxxxxxxxxxxxx; "Sterpu Victor" <victor@xxxxxxxx>
Sent: 8/23/2015 10:19:13 AM
Subject: Re: SSL - How client certificates are verified?
 
Hi,

With the option "SSLVerifyClient require" , server mandates the client to send its certificate for authentication. Then the server verifies this client certificate against the CA certificate file configured in apache. If the client certificate has been signed by a valid CA, then the authentication is successful.

There are cases where sub CA certificate can be generated from root certificate. So, this will end up in a hierarchy of CA certificates. The final sub CA certificate would be used to sign client certificate. With option "SSLVerifyDepth 10", the server will verify the client certificate to the level of 10, meaning it will verify from 0 to up the hierarchy 10.
Maximum depth of CA Certificates in Client Certificate verification

When the client sends its fake certificate(not signed by the CA) , the authentication will fail at server.

Regards,
Mohan

On Sun, Aug 23, 2015 at 12:21 PM, Sterpu Victor <victor@xxxxxxxx> wrote:
Hello
 
I have a web page that asks for client certificate.
These are the options for this:
 
SSLVerifyClient require
SSLVerifyDepth 10

How does SSLVerifyClient  verifies the client certificate?
This option protects against certificates manual made with a fake public-private key pair?
So can someoane make a certificate identical with the original, attach another set of public and private keys and pretend to be someoane else?
 
Thank you


Avast logo

This email has been checked for viruses by Avast antivirus software.
www.avast.com



DISCLAIMER:
Acest mesaj de posta electronica si documentele aferente sunt confidentiale. Este interzisa distribuirea, dezvaluirea sau orice alt mod de utilizare a lor. Daca nu sunteti destinatarul acestui mesaj, este interzis sa actionati in baza acestor informatii. Citirea, copierea, distribuirea, dezvaluirea sau utilizarea in alt mod a informatiei continute in acest mesaj constituie o incalcare a legii. Daca ati primit mesajul din greseala, va rugam sa il distrugeti, anuntand expeditorul de eroarea comisa. Intrucat nu poate fi garantat faptul ca posta electronica este un mod sigur si lipsit de erori de transmitere a informatiilor, este responsabilitatea dvs. sa va asigurati ca mesajul (inclusiv documentele alaturate lui) este validat si autorizat spre a fi utilizat in mediul dvs.


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux