Thanks Rainer and Daniel.
Sorry for the confusion and please let me clarify.
We have a web server with Apache 2.2.22 with OpenSSL 0.9.8t, the Apache service
launches fine and the users/developers are able to connect however developers
through their code bypass the Server SSL certificate verification. I am not
worried about the client certificate validation since we are not using it, all
the concern is we need to stop users bypassing the Server SSL verification who
are claiming they have to bypass it since the certificate name doesn’t match
the server name in the link being called. Kindly note that configuration in
hhtpd.conf is:
DocumentRoot "C:/Program Files (x86)/Apache Software
Foundation/Apache2.2/htdocs"
ServerName xxx.xxx.com
SSLEngine On
SSLCertificateFile "C:\Program Files (x86)\Apache Software
Foundation\Apache2.2\conf\A.crt"
SSLCertificateKeyFile "C:\Program Files (x86)\Apache Software
Foundation\Apache2.2\conf\B.pem"
SSLCertificateChainFile "C:\Program Files (x86)\Apache Software
Foundation\Apache2.2\conf\C.crt"
Regards,
From: Daniel [mailto:dferra...@gmail.com]
Sent: Thursday, February 8, 2018 12:38 PM
To: <users@httpd.apache.org> <users@httpd.apache.org>
Subject: Re: [users@httpd] SSL Certificate Validation
Hello Nizar,
You need to provide much more info on your current setup so we can provide any
meaningful advice. Which SSL verification? What configuration?
Regarding httpd what's needed in config, the basic thing to have
"SSLVerifyClient require" and a list of accepted CA's but that could be
overriden in config, that's why you need to show your actual setup or more
relevant info.
As an added note, if you have real concerns regarding security one of the best
things to do is probably to consider upgrading your openssl version which seems
ancient.
2018-02-08 7:16 GMT+01:00 Belmona, Nizar
<nbelm...@cscgroup.com<mailto:nbelm...@cscgroup.com>>:
Dear users,
We are currently using Apache 2.2.22 (mod_ssl 2.2.22, OpenSSL/0.9.8t) and we
have a security concern since developers are able to bypass the SSL certificate
verification when using HTTPS calls. Kindly advise what configuration is needed
to enforce the certificate verification? In other words should anyone tries to
bypass this verification, the call fails returning some kind of error code.
Please note that our environment is a simple one; it consists of one web server
with no proxies.
Your help is greatly appreciated.
Regards,
Nizar Belmona
Deputy Section Head
Card Management System Department | CSCBank SAL
[cid:image001.jpg@01D3A0E6.AAB50A70]
t +961 1 742555<tel:+961%201%20742%20555> | ext. 1647 | f +961 1
352281<tel:+961%201%20352%20281>
e nbelm...@cscgroup.com<mailto:nbelm...@cscgroup.com> | w
www.cscgroup.com<http://www.cscgroup.com>
150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon
[cid:image002.jpg@01D3A0E6.AAB50A70]
[cid:image003.jpg@01D3A0E6.AAB50A70] Save a tree. Please consider the
environment before printing this email.
--
Daniel Ferradal
IT Specialist
email dferradal at gmail.com<http://gmail.com>
linkedin
es.linkedin.com/in/danielferradal<http://es.linkedin.com/in/danielferradal>
Nizar Belmona
Deputy Section Head
Card Management System Department | CSCBank SAL
[cid:image9d3542.JPG@1f7b3054.42986040]
t +961 1 742555 | ext. 1647 | f +961 1 352281
e nbelm...@cscgroup.com | w www.cscgroup.com
150 Commodore Street, Hamra | Beirut, 1103 2120, Lebanon
[cid:imagee0a400.JPG@aa7f5c22.4bb91fb7]
[cid:imaged2f457.JPG@1c44af97.4481dc3c] Save a tree. Please consider the
environment before printing this email.