httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rick Yorgason <>
Subject Re: [users@httpd] Making SSLVerifyClient optional using mod_rewrite and Alias?
Date Tue, 16 Sep 2008 16:47:09 GMT
Torsten Foertsch wrote:
> On Tue 16 Sep 2008, Rick Yorgason wrote:
> There is a major drawback in that approach as with allowing SSL 
> renegotiation in general. You cannot deploy large POST requests. 

Unfortunately, if POST requests are hampered, then it's really not going 
to be useful to me.

> Now a few remarks to think about. You said you want that for extra 
> security. For whom? The SSL connection is not better encrypted if the 
> client supplies a certificate. The only thing a that a client 
> certificate can achieve is to make sure for the server to whom it 
> talks. The client gains nothing.
> But in that case using optional_no_ca is complete nonsense. Because if 
> the server doesn't have a trusted CA certificate to verify the 
> certificate supplied by the client the client can fake any identity it 
> wants.

It's not useful for knowing *who* you're talking to, per se, but it's 
useful for knowing that you're talking to the *same* person you were 
talking to before, right?  That way if somebody has cookies that 
identify their session or their persistent login, then a session 
fixation attack would be useless unless you can also steal their private 

Of course, I'd still be careful to make sure everything is as secure as 
possible for people who don't have certs (i.e. most of them) but client 
certs seem like a Good Thing, so I like the idea of offering them to 
people (especially admins).



The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message