SSL client certificate
Specifies whether accessing this virtual host requires the client to authenticate with a valid SSL client certificate. Together with the SSL server certificate, client certificates provide mutual authentication between Airlock Gateway and the browser. If the client authenticates himself with a client certificate, any man-in-the-middle attack is prevented.
Options:
- Not needed: No certificate is requested from the client. The virtual host may be accessed without a client certificate.
- Optional: The client may send a certificate if available, but access is still allowed without. The optional setting is normally used in combination with an authentication service that presents an alternative login page if no certificate is sent. You should not use the 'optional' setting without this additional authentication service check.
- Required: The client must send a valid certificate before accessing any of the connected mappings. If no client certificate is sent, the SSL handshake is canceled and the browser typically presents the user with a technical error message.
Note: This setting is also available for each virtual host. If you need to check client certificates, it is recommended to require a client certificate on the virtual host level, not on the mapping level. If client certificates are required on the virtual host, the connected mappings can be set to "SSL client certificate: inherit from virtual host".
Chain verification depth
The verification depth specifies the maximum number of intermediate certificate issuers, i.e. the number of CA certificates which are allowed at maximum to be followed while verifying the client certificate. The default depth of 1 means that the client certificate has to be signed by a CA which is directly known to the server.
Enable OCSP validation
This option enables OCSP validation of the client certificate chain. For more information see this Apache directive.
OCSP servers must be whitelisted in the Section – Allowed Network Endpoints, since Airlock Gateway refuses connections to arbitrary hosts on the internet.