All Apache needs is to trust the CA which issued the client cert
SR On Thu, Jul 15, 2010 at 10:29 PM, galaft wang <gal...@gmail.com> wrote: > Hi, > > I am not sure I got your idea...Do you mean: with such configuration: > "SSLEngine on and SSLVerifyClient require", Apache doesn't deny request from > client whose IP(or FQDN) doesn't match its certificate CN? > > But according to my experiments, Apache will deny request with such > configuration. > > Could you please tell me more details about "SSLVerifyClient require". How > does mod_ssl verify client certificate? There are many content in a > certificate, e.g. Issuer, Time Validity, Subject CN, Subject Public Key > Info, etc. Will Apache verify each content? > > > Br, Jason > > > On Wed, Jul 14, 2010 at 6:59 PM, Eric Covener <cove...@gmail.com> wrote: > >> On Tue, Jul 13, 2010 at 10:21 PM, galaft wang <gal...@gmail.com> wrote: >> > Hi, >> > Normally, CN would be IP address of the client, if client IP do not >> match >> > its certificate CN, Apache would deny its request. This is used in >> highly >> > secured network. >> >> Not with just SSLEngine on and SSLVerifyClient require it doesn't. >> >> >> -- >> Eric Covener >> cove...@gmail.com >> >> --------------------------------------------------------------------- >> The official User-To-User support forum of the Apache HTTP Server Project. >> See <URL:http://httpd.apache.org/userslist.html> for more info. >> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org >> " from the digest: users-digest-unsubscr...@httpd.apache.org >> For additional commands, e-mail: users-h...@httpd.apache.org >> >> >
