Skip to Content.
Sympa Menu

shibboleth-dev - Apache optional_no_ca: What is checked exactly?

Subject: Shibboleth Developers

List archive

Apache optional_no_ca: What is checked exactly?


Chronological Thread 
  • From: Lukas Haemmerle <>
  • To:
  • Subject: Apache optional_no_ca: What is checked exactly?
  • Date: Mon, 03 Mar 2008 17:59:22 +0100
  • Organization: SWITCH - Serving Swiss Universities

This is slightly offtopic but nevertheless probably very relevant for Shibboleth IdP Admins.
For the attribute request on the AA, it is recommended to set

SSLVerifyClient optional_no_ca

Now, today I had a discussion with our PKI-guru (Kaspar Brand) about the clientAuthentication usually done during the Shib attribute request and he asked me what exactly is validated with optional_no_ca.

Because on
http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#sslverifyclient
it says "optional_no_ca is actually against the idea of authentication (but can be used to establish SSL test pages, etc.)", can one be sure that at least the proof of possession (of the private key used by the SP during the SSL hand-shake) is checked by Apache? I know that no CA validation is supposed to be done, which makes sense to me but what else is checked/not checked? How about e.g. the expiration date of the certificate?

I have been assuming that proof-of-possesion is checked but now I am not so sure anymore regarding this. Before I look in the source-code, can anyone (Scott?) confirm this

If this is not checked either, it apparently could be possible to inject any (public) certificate into the IdP container because there is no PoP.

Lukas

--
SWITCH
Serving Swiss Universities
--------------------------
Lukas Haemmerle, Software Engineer, Security
Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland
phone +41 44 268 15 64, fax +41 44 268 15 68
,
http://www.switch.ch



Archive powered by MHonArc 2.6.16.

Top of Page