-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dhaval Thakar wrote: | Hi list, Hello Daval,
| i have a hosted site over internet for the branch users, which i want to | restrict over internet, | e.g only certain computers will be allowed to access site. | i want to restrict it to only branch computers. | is it possible using ssl/tls to allow particular computers to access web? | like access will be granted only if necessary certificate is installed on | the client client's web browser. Let's rephrase your requirements: You have a server using SSL/TLS. This server should grant access to only a selected list of clients. You are able to install data on these clients. The solution is simple: * create an own CA (for example with the CA.sh or CA.pl scripts. * for every client: ~ * create a client key ~ * create a certification request ~ * sign the certification request with your CA ~ * transfer the certificate (and key if created by the CA) * configure your server to use mandatory client verification. * configure your server to only use your CA certificate to ~ verify client certificates. * optionally: ~ * for every client that should not be able to connect the ~ server any more: ~ * revoke the client certificate ~ * create a certificate revocation list (CRL) ~ * distribute this CRL to the server ~ * configure the server to use the CRL on verification. * test your environment. * sit back and enjoy But you do need a basic knowledge about certificates. Especially you must be aware how to differentiate between a CA certificate, a server certificate and a client certificate. Then I suggest to play with the CA.sh (or CA.pl) and the openssl.cnf that is used by these scripts... | kindly note: these users are connecting from dynamic ips. site has | authentication. Doesn't matter, the server verifies if client has a certificate. If you can ensure that every entity connecting the server has an own certificate, you could configure authentication to use the data supplied in the client certificate. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIsb1S2iGqZUF3qPYRAiF+AJ48UtNGVB3TWJQXvNKshW5AqWX1/gCcCDib slJvLrhEVq4NgeDR0x1suPQ= =AdyF -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
