Technically it should work, but you may also want to:
1. Check that client belongs to some a organization/unit as specified in
certificate, see
https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire for
example. (BTW I don't know if %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ is still
necessary, but I'd specify it just in case.)
2. Configure revocation list with using SSLCARevocationCheck and
SSLCARevocationFile (see same page). But be careful to update your CRL
file and reload your server timely (there's usually a cron job for
this), or it'll stop accepting any certificates as soon as CRL expires.
Without these changes you are granting access to any certificate you (or
any other CAs specified in SSLCACertificateFile) ever issued, even to
unrelated or obsolete ones.
--
With Best Regards,
Marat Khalili
On 16/06/17 12:24, Darren S. wrote:
I ended up with this as a test; is this as easy as it should be?
<VirtualHost _default_:443>
ServerName example.com
DocumentRoot /var/www/app
SSLEngine On
SSLCertificateFile /etc/ssl/certs/server.crt
SSLCertificateKeyFile /etc/ssl/private/server.key
SSLCACertificateFile "/etc/apache2/client-ca.crt"
<Directory /var/www/app/webroot>
SSLVerifyClient optional
SSLVerifyDepth 1
Options -Indexes
AllowOverride all
<RequireAny>
Require ssl-verify-client
Require local
</RequireAny>
</Directory>
</VirtualHost>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
