1

We have a web server running on linux machine where we configured 'SSLVerifyClient' as 'require' in ssl.conf file.

Does this needs client who is utilizing the service from web browser(like firefox or chrome) needs a certificate.

If yes, then it is not possible to distribute client certificate to every user as there can be some thousands of users, how to overcome this problem.

If no, then how the data passed over network is secure? I know that certificate helps in encrypting data so that no one who don't have certificate can read data.

Please help me in clarifying my doubts

Rajesh Kumar
  • 1,270
  • 4
  • 15
  • 31
  • 'I know that certificate helps in encrypting data so that no one who don't have certificate cant read data'. This is not correct. – user207421 Apr 26 '16 at 11:22
  • I read about SSL long back, let me go through it again to better understand it...Thank you.... – Rajesh Kumar Apr 26 '16 at 11:24
  • Possible duplicate of [How Digital certificates provides extra security on top of SSL](http://stackoverflow.com/questions/23446495/how-digital-certificates-provides-extra-security-on-top-of-ssl) – user207421 Apr 26 '16 at 11:40

2 Answers2

0

If you don't use client certificate, the https connection is still safe:

  • Only the client and the server can read/write the content
  • The identity of the server is assured by a certificate authority

Client certificate only give you client authentication in the beginning of the connection. To encrypt the data, the public key of the server is used in the beginning (See public key encryption).

If you identify the client with cookies set after login/password submit, it is still safe: you have identify the client.

Tom
  • 4,666
  • 2
  • 29
  • 48
  • Even there is no client certificate, will that still be secure i.e.no one else can read data right. According to me, client certificiate will encrypt the data before sending to server. If there is no client certificate then how the encryption will happen. Do I need to change SSLVerifyClient to False in this case of not expecting client to send certificate. Thanks for your help – Rajesh Kumar Apr 26 '16 at 11:20
  • 1
    @RajeshKumar He's answered all that. The part starting 'according to me' is incorrect. – user207421 Apr 26 '16 at 11:21
  • 1
    @RajeshKumar Client certificate only give you client authentication. Cerver. The client use the public key of the server to encrypt the data. – Tom Apr 26 '16 at 11:41
  • 1
    @Tom No it doesn't. SSL uses symmetric encryption via a negotiated session key. – user207421 Apr 26 '16 at 15:49
  • @EJP Yes, but the exchange of the symmetric key is done with asymmetric encryption. I've oversimplified, sorry. – Tom Apr 26 '16 at 16:00
-1

When SSLVerifyClient is set to require, the client MUST pass a client certificate. You would generate these via OpenSSL, and sign them with a certificate authority that you install via SSLCACertificateFile.

How you distribute those certificates is an issue you'll have to solve yourself.

Johan de Vries
  • 175
  • 1
  • 9