Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is the difference between requiring an SSL cert and accepting an SSL cert?

Tags:

So I know the fundamental difference between requiring an SSL cert and accepting, one means you must have an SSL certificate and the other means you don't need one.

In my IIS Manager for a certain webpage I have the this setup: enter image description here

The issue that I am having is that when I set Require SSL Cert and have Client certificates set to accept/ignore I can only get to webpage using HTTPS. Now if I change it to Require, I can no longer access the webpage, even with HTTPS... so I am just trying to figure out what the difference is, and how it effects the webpage.

So maybe my question is phrased wrong... I'm not sure, my understanding on the subject is fairly limited, so any help would be appreciated.

Thanks!

like image 661
Adjit Avatar asked Oct 15 '13 14:10

Adjit


People also ask

What does it mean to require SSL?

SSL stands for Secure Sockets Layer, a security protocol that creates an encrypted link between a web server and a web browser. Companies and organizations need to add SSL certificates to their websites to secure online transactions and keep customer information private and secure.

What does SSL accept all certificates mean?

Yes, it means that it will accept all (as in, regardless of issuer) SSL certificates, even if they are from an untrusted Certificate Authority. You could use this if you didn't care who your messages were going to but wanted them secure.

What is SSL certificate and why it is required?

An SSL certificate is a bit of code on your web server that provides security for online communications. When a web browser contacts your secured website, the SSL certificate enables an encrypted connection. It's kind of like sealing a letter in an envelope before sending it through the mail.

What is required for SSL certificate?

What do I need to have before buying an SSL certificate? A unique IP address. Because of the way that the SSL protocol was set up, you will need a separate IP address for each certificate that you want to use. If you don't, some older devices and browsers won't be able to use your site.


1 Answers

Client-certificate authentication can be optional or mandatory, or not used at all.

  • Ignore is when it's not used at all.
  • Accept will take a certificate if it's presented, but will also continue with connections where the client doesn't present one.
  • Require only continues with connections that have a client certificate.

Client-certificate authentication is something that can only be initiated by the server in SSL/TLS, so this terminology isn't quite correct, but that's what's used in IIS.

like image 71
Bruno Avatar answered Oct 20 '22 14:10

Bruno