5.5.19.1. Attributes of ServerCertificateVerifier

ca_directory (string)

Default: ""

ca_directory (string)
Default: ""
Directory where the trusted CA certificates are stored. Note that when handling an SSL or TLS connection and the `ca_directory` parameter is set, Zorp loads every certificate available in this directory, and this might require a huge amount of memory. If the `verify_type` parameter is set to verify peer certificates, Zorp sends the subject names of CA certificates stored in this directory to the peer to request a certificate from these CAs. Unless you are authenticating the peers based on their certificates, use the `verify_ca_directory` option instead.

Directory where the trusted CA certificates are stored. Note that when handling an SSL or TLS connection and the ca_directory parameter is set, Zorp loads every certificate available in this directory, and this might require a huge amount of memory. If the verify_type parameter is set to verify peer certificates, Zorp sends the subject names of CA certificates stored in this directory to the peer to request a certificate from these CAs. Unless you are authenticating the peers based on their certificates, use the verify_ca_directory option instead.

check_subject (boolean)
Default: TRUE
If the `check_subject` parameter is TRUE, Zorp compares the Subject of the server-side certificate with application-layer information (for example, it checks whether the Subject matches the hostname in the URL). For details, see Section 3.2.5, Certificate verification options.

crl_directory (string)
Default: ""
Directory where the CRLs associated with the trusted CAs are stored. Note that when handling an SSL or TLS connection and the `crl_directory` parameter is set, Zorp loads every CRL available in this directory, and this might require a huge amount of memory. Unless you are authenticating the peers based on their certificates, use the `verify_crl_directory` option instead.

permit_invalid_certificates (boolean)
Default: FALSE
When `permit_invalid_certificates` is TRUE and `trusted` is FALSE, Zorp accepts even invalid certificates, for example, expired or self-signed certificates.

permit_missing_crl (boolean)
Default: FALSE
This option has effect only if the `verify_crl_directory` parameter is set. If Zorp does not find a CRL in these directories that matches the CAs in the certificate chain and `permit_missing_crl` is set to FALSE, Zorp rejects the certificate. Otherwise, the certificate is accepted even if no matching CRL is found. Available only in Zorp version 3.4.3 and later.

trusted (boolean)
Default: TRUE
If the peer shows a certificate and the `trusted` parameter is TRUE, only certificates signed by a trusted CA are accepted.

trusted_certs_directory (string)
Default: ""
A directory where trusted IP address - certificate assignments are stored. When a peer from a specific IP address shows the certificate stored in this directory, it is accepted regardless of its expiration or issuer CA. Each file in the directory should contain a certificate in PEM format. The filename must bethe IP address.

verify_ca_directory (string)
Default: ""
Directory where the trusted CA certificates are stored. CA certificates are loaded on-demand from this directory when Zorp verifies the certificate of the peer. Available only in Zorp version 3.4.3 and later.

verify_crl_directory (string)
Default: ""
Directory where the CRLs (Certificate Revocation Lists) associated with trusted CAs are stored. CRLs are loaded on-demand from this directory when Zorp verifies the certificate of the peer. Available only in Zorp version 3.4.3 and later.

verify_depth (integer)
Default: 4
The length of the longest accepted CA verification chain. Zorp will automatically reject longer CA chains.

Previous	Up	Next
	Home

Proxedo Network Security Suite 1.0 Reference Guide

5.5.19. Class ServerCertificateVerifier