Re: How to ignore common name during client certificate verification?

[galaft wang <galaft@xxxxxxxxx>]

Hi,

Normally, CN would be IP address of the client, if client IP do not match its certificate CN, Apache would deny its request. This is used in highly secured network.

But we do not need such strict security configuration, we just need to verify whether the client certificate is issued by trusted CA. If yes, accept client, if not, deny client.

So, I just need to verify client certificates "partly", what can I do?

Br,

Jason

On Tue, Jul 13, 2010 at 7:12 PM, Eric Covener <covener@xxxxxxxxx> wrote:

On Tue, Jul 13, 2010 at 3:23 AM, galaft wang <galaft@xxxxxxxxx> wrote:
> Hi,
>
> As we know, directive SSLVerifyClient in mod_ssl can be used for Client
> Authentication
>
> SSLVerifyClient require
>
> It means the client has to present a valid Certificate
>
> However, for specific purpose, I only want to verify: whether client's
> certificate is issued by trusted CA.
> I do not want to verify common name in client's certificate.
> In another word, if the client certificate is issued by trusted CA, even its
> common name is not matched, we can also consider this client certificate is
> valid.

What does mod_ssl match the CN of a client certificate against?

--

Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx