httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Belmona, Nizar" <nbelm...@cscgroup.com>
Subject RE: [users@httpd] SSL Certificate Validation
Date Thu, 08 Feb 2018 12:36:34 GMT
Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.

We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service launches fine
and the users/developers are able to connect however developers through their code bypass
the Server SSL certificate verification. I am not worried about the client certificate validation
since we are not using it,  all the concern is we need to stop users bypassing the Server
SSL verification who are claiming they have to bypass it since the certificate name doesn’t
match the server name in the link being called. Kindly note that configuration in hhtpd.conf
is:

<VirtualHost xxx.xxx.xx.xx:443>
    DocumentRoot "C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs"
    ServerName xxx.xxx.com
    SSLEngine On
    SSLCertificateFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\A.crt"
    SSLCertificateKeyFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\B.pem"
    SSLCertificateChainFile "C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\C.crt"
</VirtualHost>

Regards,


From: Daniel [mailto:dferradal@gmail.com]
Sent: Thursday, February 8, 2018 12:38 PM
To: <users@httpd.apache.org> <users@httpd.apache.org>
Subject: Re: [users@httpd] SSL Certificate Validation

Hello Nizar,

You need to provide much more info on your current setup so we can provide any meaningful
advice. Which SSL verification? What configuration?

Regarding httpd what's needed in config, the basic thing to have "SSLVerifyClient require"
and a list of accepted CA's but that could be overriden in config, that's why you need to
show your actual setup or more relevant info.
As an added note, if you have real concerns regarding security one of the best things to do
is probably to consider upgrading your openssl version which seems ancient.

2018-02-08 7:16 GMT+01:00 Belmona, Nizar <nbelmona@cscgroup.com<mailto:nbelmona@cscgroup.com>>:
Dear users,
We are currently using Apache 2.2.22 (mod_ssl 2.2.22, OpenSSL/0.9.8t) and we have a security
concern since developers are able to bypass the SSL certificate verification when using HTTPS
calls. Kindly advise what configuration is needed to enforce the certificate verification?
In other words should anyone tries to bypass this verification, the call fails returning some
kind of error code.
Please note that our environment is a simple one; it consists of one web server with no proxies.

Your help is greatly appreciated.

Regards,

Nizar Belmona



Deputy Section Head






Card Management System Department | CSCBank SAL

[cid:image001.jpg@01D3A0E6.AAB50A70]

t +961 1 742555<tel:+961%201%20742%20555> | ext. 1647 | f +961 1 352281<tel:+961%201%20352%20281>

e nbelmona@cscgroup.com<mailto:nbelmona@cscgroup.com> | w www.cscgroup.com<http://www.cscgroup.com>

150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon


[cid:image002.jpg@01D3A0E6.AAB50A70]


[cid:image003.jpg@01D3A0E6.AAB50A70] Save a tree. Please consider the environment before printing
this email.





--
Daniel Ferradal
IT Specialist

email         dferradal at gmail.com<http://gmail.com>
linkedin     es.linkedin.com/in/danielferradal<http://es.linkedin.com/in/danielferradal>


Nizar Belmona
Deputy Section Head

Card Management System Department | CSCBank SAL [cid:image9d3542.JPG@1f7b3054.42986040]
t +961 1 742555 | ext. 1647 | f +961 1 352281
e nbelmona@cscgroup.com | w www.cscgroup.com
150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon

[cid:imagee0a400.JPG@aa7f5c22.4bb91fb7]

[cid:imaged2f457.JPG@1c44af97.4481dc3c] Save a tree. Please consider the environment before
printing this email.


Mime
View raw message