Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
hi
for the security, it needs the possibility to accept only certificates of a certain authority.
is this planned?
saluti
roberto
Comments
Comment #1
flamingvan CreditAttribution: flamingvan commentedWouldn't the server only accept certificates of a certain authority anyway? If not, can you explain how I should go about doing that? Thanks, Moses
Comment #2
roberto.ch CreditAttribution: roberto.ch commentedi understand english very,very bad...
I don't understand right, which you think.
my question: which authority is checked?
the official authorities like thawte?
without authority-check, everyone can make
selfsigned certifikate with the name of
others.
what I mean, I produce authority and sign
the csr of the user. only these certificates
should be accepted.
like apaches mod-ssl SSLCACertificateFile
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcacertificatefile
saluti
roberto
Comment #3
flamingvan CreditAttribution: flamingvan commentedHi Roberto,
I'm not sure how I would do it. I don't know enough about how certificates work. I can't seem to sign in on my own server without the certificate, though, so I think I'm safe. Can you show me how the code would work to verify the authority?
Moses
Comment #4
flamingvan CreditAttribution: flamingvan commentedI've looked into this some more. If a server accepts certificates from more than one authority this could create a security vulnerability. I will fix this in the 6.x version at some point.
Comment #5
flamingvan CreditAttribution: flamingvan commented