Application-level Gateway is able to automatically verify the certificates received. The types of accepted certificates can be controlled separately on the client and the server side using the attributes of the ClientCertificateVerifier and ServerCertificateVerifier classes (or your own classes derived from these), respectively. These attributes offer an easy way to restrict encrypted access only to sites having trustworthy certificates. The available options are summarized in the following table. (The text in parentheses refers to the respective value in older PNS versions.)
required | |||
|---|---|---|---|
| TRUE | FALSE | ||
trusted
| TRUE | Peer must have a valid certificate (REQUIRED-TRUSTED) | Peer must have a valid certificate, issued by any CA (REQUIRED-UNTRUSTED) |
| FALSE | Certificate is not required, but if the peer shows a certificate, it must be valid and signed by a trusted CA (OPTIONAL-TRUSTED) | Certificate is not required, but if the peer shows a certificate, it must be valid. It can be issued by any CA (OPTIONAL-UNTRUSTED) | |
To accept peers with invalid certificates, set the permit_invalid_certificates to TRUE.
By default (if the check_subject parameter is set to TRUE in the verifier), Application-level Gateway compares the domain name provided in the Subject field of the server certificate to application-level information about the server (that is, the domain name of the URL in HTTP and HTTPS connections).
| Example 3.1. Accepting invalid certificates |
|---|
|
The following example configures a simple Encryption Policy that permits invalid certificated, and does not check the subject of the server's certificate. EncryptionPolicy(
name="MyTLSEncryption",
encryption=TwoSidedEncryption(
client_verify=None,
server_verify=ServerCertificateVerifier(
ca_directory="/etc/ca.d/certs/",
crl_directory="/etc/ca.d/crls/",
permit_invalid_certificates=TRUE,
check_subject=FALSE)
)
|
Published on June 04, 2020
© 2007-2019 BalaSys
Send your comments to support@balasys.hu
