Re: How to ignore common name during client certificate verification?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

All Apache needs is to trust the CA which issued the client cert



SR

On Thu, Jul 15, 2010 at 10:29 PM, galaft wang <galaft@xxxxxxxxx> wrote:
Hi,

I am not sure I got your idea...Do you mean: with such configuration: "SSLEngine on and SSLVerifyClient require", Apache doesn't deny request from client whose IP(or FQDN) doesn't match its certificate CN?

But according to my experiments, Apache will deny request with such configuration.

Could you please tell me more details about "SSLVerifyClient require". How does mod_ssl verify client certificate? There are many content in a certificate, e.g. Issuer, Time Validity, Subject CN, Subject Public Key Info, etc. Will Apache verify each content?


Br, Jason


On Wed, Jul 14, 2010 at 6:59 PM, Eric Covener <covener@xxxxxxxxx> wrote:
On Tue, Jul 13, 2010 at 10:21 PM, galaft wang <galaft@xxxxxxxxx> wrote:
> Hi,
> Normally, CN would be IP address of the client, if client IP do not match
> its certificate CN, Apache would deny its request. This is used in highly
> secured network.

Not with just SSLEngine on and SSLVerifyClient require it doesn't.


--
Eric Covener
covener@xxxxxxxxx

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
  "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx



[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux