Zorp is able to automatically verify the certificates received. The types of accepted certificates can be controlled separately on the client and the server side using the ssl.client_verify_type and the ssl.server_verify_type attributes. These attributes offer an easy way to restrict encrypted access only to sites having trustworthy certificates. The available options are summarized in the following table.
| Name | Value |
|---|---|
| TLS_TRUST_LEVEL_NONE | Accept invalid for example, expired certificates. |
| TLS_TRUST_LEVEL_UNTRUSTED | Both trusted and untrusted certificates are accepted. |
| TLS_TRUST_LEVEL_FULL | Only valid certificates signed by a trusted CA are accepted. |
Table 3.2. Constants for trust level selection.
The ssl.server_check_subject can be used to compare the domain name provided in the Subject field of the server certificate to application level information about the server. Currently it can compare the Subject field to the domain name of the HTTP request in HTTPS communication. If the ssl.server_check_subject is set to TRUE and ssl.server_verify_type is SSL_VERIFY_REQUIRED_UNTRUSTED or SSL_VERIFY_REQUIRED_TRUSTED, the HTTP proxy using the SSL framework will deny access to the page and return an error if the Subject field does not match the domain name of the URL.
Published on March 04, 2024
© BalaSys IT Ltd.
Send your comments to support@balasys.hu
