Is the purpose of the client certification process just to prove that the CA you have in SSLCACertificateFile (in the conf file) has vouched for the client? If the CA is a well known CA then anyone who has their public cert signed by that CA can pass through as a valid client? A bit confused about this whole client authentication thing.
Asked
Active
Viewed 760 times
1 Answers
0
Yes, but:
- In a private setup for example you could as well use a private internal CA, so you would control who gets certificates or not.
- Look at SSLOptions directive, the
FakeBasicAuthcase can help in some cases - And more generally, you have the SSLRequire directive, where you can restrict access based on any component of the presented certificate, like its CN.
Example given in documentation:
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
and %{TIME_WDAY} -ge 1 and %{TIME_WDAY} -le 5 \
and %{TIME_HOUR} -ge 8 and %{TIME_HOUR} -le 20 ) \
or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
Note that SSLRequire is now deprecated in favor of Require which is almost a strict superset of it. You have on https://httpd.apache.org/docs/2.4/expr.html the details on how you can test, and the beginning of https://httpd.apache.org/docs/2.4/mod/mod_ssl.html shows all possible "SSL" variables you can test, such as:
SSL_CLIENT_M_SERIAL string The serial of the client certificate
SSL_CLIENT_S_DN string Subject DN in client's certificate
SSL_CLIENT_S_DN_x509 string Component of client's Subject DN
Patrick Mevzek
- 10,995
- 16
- 38
- 54
-
Thank you. Wasn't aware of SSLRequire / Require – Traveller Jan 23 '19 at 05:55