{"description": "<tt>SSLVerifyClient</tt> should be set and configured to <tt>require</tt> by\nsetting the following in <tt>/etc/httpd/conf/httpd.conf</tt>:\n<pre>SSLVerifyClient require</pre>", "rationale": "Web sites requiring authentication must utilize PKI as an\nauthentication mechanism for web users. Information systems residing behind web\nservers requiring authorization based on individual identity must use the\nidentity provided by certificate-based authentication to support access control\ndecisions.", "severity": "medium", "references": {}, "control_references": {}, "components": [], "identifiers": {}, "ocil_clause": "it is not", "ocil": "To verify if <tt>SSLVerifyClient</tt> is configured correctly in\n<tt>/etc/httpd/conf/httpd.conf</tt>, run the following command:\n<pre>$ grep -i sslverifyclient /etc/httpd/conf/httpd.conf</pre>\nThe command should return the following:\n<pre>SSLVerifyClient require</pre>", "oval_external_content": null, "fixtext": "", "checktext": "", "vuldiscussion": "", "srg_requirement": "", "warnings": [], "conflicts": [], "requires": [], "policy_specific_content": {}, "platform": null, "platforms": [], "sce_metadata": {}, "inherited_platforms": [], "cpe_platform_names": [], "inherited_cpe_platform_names": [], "bash_conditional": null, "fixes": {}, "title": "Require Client Certificates", "definition_location": "/aptdata/openscap/scap-security-guide/linux_os/guide/services/http/securing_httpd/httpd_modules_improve_security/httpd_deploy_mod_ssl/httpd_require_client_certs/rule.yml", "template": null}