JP2017055298A - Connection control device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a connection control device and a program that can perform flexible control of whether communication should be permitted or rejected compared with a method for not permitting communication without exception if a public key certificate is determined to be inadequate by verification.SOLUTION: An adequacy verification unit 102 verifies a certificate transmitted to a user terminal within a LAN by a server on the Internet at the time of SSL connection start. A policy database 110 prescribes how to deal with communication connection between a user terminal and a server if the adequacy verification unit 102 determines that the certificate is inadequate. A communication permission/rejection determination unit 108 permits communication connection between the user terminal and the server if the adequacy verification unit 102 determines that the certificate from the server is adequate, and performs control to permit or reject the communication connection according to adequacy policy corresponding to the server registered with the policy database 110 if it determines that the certificate is inadequate.SELECTED DRAWING: Figure 2

Description

  The present invention relates to a connection control device and a program.

  In order to ensure the security of communication between the user terminal and the server via the Internet, a protocol of TLS (Transport Layer Security) or SSL (Secure Socket Layer) is used. These protocols use PKI (Public Key Infrastructure) technology. When the user terminal and the server start communication, each other's public key certificates (hereinafter simply referred to as “certificates”) are exchanged, and the PKI mechanism is used by using these certificates. Exchange encryption keys used for communication.

  As a conventional technology, when the web browser of the user terminal verifies the certificate from the server and obtains a verification result that the certificate is not valid, whether or not to continue communication is displayed on the screen. There is a technique for inquiring users.

  Conventionally, when a TLS / SSL connection from a user terminal in a LAN (local area network) to a server on the Internet is started, a gateway device provided at the exit to the Internet checks the server certificate. Things are also done.

  The gateway server device disclosed in Patent Literature 1 generates a temporary encryption communication relay permit and a pair of secret keys, and performs encrypted communication between the client device and the gateway server device using them. At that time, the encryption communication relay permit, the secret key, the IP address of the client device, the content server name, the communication method, etc. are registered in the database server. Then, encrypted communication is performed with the content server device. Accordingly, since the encrypted communication is once terminated in the gateway server device, various value-added processes can be performed there.

  Patent Document 2 discloses a mechanism for relaying communication data communicated between a client terminal and an information processing apparatus. This mechanism includes a first establishing unit that establishes a first SSL communication used for communication of communication data with a client terminal, and a second establishment that establishes a second SSL communication used for communication of communication data with an information processing device. And the public key certificate of the information processing apparatus acquired from the information processing apparatus when the second establishment unit establishes the second SSL communication, and the first establishment unit establishes the first SSL communication A transmission unit for transmitting to the terminal is provided.

  Patent Document 3 discloses a mechanism for relaying communication data communicated between a client terminal and an information processing apparatus. This mechanism includes a public key certificate of an information processing device acquired from the information processing device when establishing SSL communication with the information processing device to relay communication data between the client terminal and the information processing device. Determining whether the public key certificate of the information processing device is issued by the certificate authority using the public key certificate issued by the certificate authority trusted by the relay processing device, Whether to permit relaying of communication data between the client terminal and the information processing apparatus is determined according to the determination result.

JP 2006-165678 A JP 2011-151785 A JP 2012-137975 A

  If the public key certificate transmitted from the information processing apparatus of the communication destination to the communication source is found to be invalid as a result of the verification, it is basically reasonable in terms of security not to permit the communication. However, it may be inconvenient if communication is not permitted even if the public key certificate is determined not to be valid by verification. For example, the information processing device of the communication destination uses a public key certificate that is known to be safe for the communication source, but is determined to be invalid in general verification for some reason such as cost saving. It is. Public key certificates that are judged to be valid in general verification are considerably expensive because they are issued by appropriate issuers.

  An object of the present invention is to make it possible to control more flexibly whether or not to permit communication than a method in which communication is not permitted when the public key certificate is not valid.

  The invention according to claim 1 is a case where the public key certificate acquired from the first information processing apparatus to the second information processing apparatus and the public key certificate acquired by the acquisition means are not valid And a control means for controlling whether to permit communication between the first information processing apparatus and the second information processing apparatus.

  The invention according to claim 2 is characterized in that the control means, when the public key certificate is not valid, according to policy information indicating a procedure when the public key certificate is not valid, The communication control apparatus according to claim 1, wherein the communication control apparatus controls whether to permit communication with the second information processing apparatus.

  According to a third aspect of the present invention, the policy information indicates the treatment for each cause event determined that the public key certificate is not valid, and the control means is configured to use the public key certificate not valid. The communication control device according to claim 2, wherein control is performed to determine whether or not to permit the communication in accordance with a measure corresponding to a cause event determined to be invalid, indicated in the policy information. is there.

  The invention according to claim 4 further includes storage means for storing the latest public key certificate from the first information processing apparatus verified by the verification means, wherein the control means is acquired by the acquisition means. When the public key certificate from the first information processing apparatus is different from the one stored in the storage means, a measure is taken when the public key certificate of the first information processing apparatus is changed. 4. The control unit according to claim 2, wherein whether to allow communication between the first information processing apparatus and the second information processing apparatus is controlled according to the second policy information shown. 5. Is a communication control device.

  The invention according to claim 5 further includes storage means for storing the latest public key certificate from the first information processing apparatus verified by the verification means, the date and time of the verification, and the verification result, The control means, when the date and time of verification stored in the storage means for the public key certificate obtained from the first information processing apparatus by the obtaining means is within a predetermined validity period from the current date and time 4, wherein the verification of the public key certificate acquired by the acquisition unit is omitted, and the control is performed according to the verification result stored in the storage unit. The communication control device according to Item 1.

  In the invention according to claim 6, the computer obtains a public key certificate to be sent from the first information processing apparatus to the second information processing apparatus, and the public key certificate obtained by the obtaining means is valid. If not, it is a program for functioning as control means for controlling whether to permit communication between the first information processing apparatus and the second information processing apparatus.

  According to the first, second, or sixth aspect of the invention, it is possible to more flexibly control whether or not to permit communication than a method that does not permit communication when the public key certificate is not valid.

  According to the third aspect of the present invention, finer control is possible according to the causal event that the public key certificate is not valid than when the public key certificate is not valid.

  According to the fourth aspect of the present invention, finer control is possible as compared with the case where the public key certificate of the first information processing apparatus does not consider the change.

  According to the invention which concerns on Claim 5, compared with the case where a public key certificate is verified each time, the processing load for verification can be reduced.

It is a figure which shows the example of the system configuration | structure of embodiment. It is a figure which shows the example of a function structure of the gateway apparatus of embodiment. It is a figure which shows the example of the process sequence of the gateway apparatus of embodiment. It is a figure which shows the example of a function structure of the gateway apparatus of a 1st modification. It is a figure which shows the example of the process sequence of the gateway apparatus of a 1st modification. It is a figure which shows the example of the data content of policy DB (database) in a 2nd modification. It is a figure which shows the example of the data content of policy DB in a 3rd modification. It is a figure which shows the example of the data content of search result DB in a 4th modification. It is a figure which shows the example of the data content of policy DB in a 4th modification. It is a figure which shows the example of the process sequence of the gateway apparatus of a 4th modification.

  As shown in FIG. 1, the control according to the present embodiment is executed by the gateway device 100 that relays communication between the local network 250 and the Internet 350. The local network 250 is, for example, a LAN or an intranet. For example, the gateway device 100 relays a request addressed to the server 300 from the user terminal 200 on the local network 250 to the Internet 350. The request sent to the Internet 350 is transmitted to the destination server 300. The gateway device 100 receives a response from the server 300 to the request via the Internet 350 and transfers it to the user terminal 200. Although not limited to this, the user terminal 200 is a personal computer, for example, and the server 300 is a web server. Although only one user terminal 200 and one server 300 are shown in the figure, there are a plurality of user terminals 200 on the local network 250, and these user terminals 200 send requests to various servers 300 on the Internet 350. , Receive a response.

  In order to ensure the security of communication between the user terminal 200 and the server 300, a TLS (Transport Layer Security) or SSL (Secure Socket Layer) protocol is used. These protocols use PKI (Public Key Infrastructure) technology. When the user terminal 200 and the server 300 start communication, the public key certificate (hereinafter simply referred to as “certificate”) of the server 300 is transmitted to the user terminal, and the PKI mechanism is used using this certificate. Thus, the encryption key used for the subsequent communication is exchanged. In the present embodiment, the gateway device 100 verifies the certificate of the server 300 sent from the server 300 to the user terminal 200. If the verification fails, the gateway device 100 determines that the server 300 is not reliable, The communication between the user terminal 200 and the server 300 is cut off. However, in the server 300, a certificate that fails in general certificate verification for some reasons such as cost savings must be used, but it is known in advance that the local network 250 is secure. Some are. For example, a site temporarily provided on the Internet 350 by a person in an organization provided with the local network 250 for a short-term project or the like is an example. The gateway device 100 according to the present embodiment has a mechanism for permitting communication even if certificate verification fails for the server 300 that is known to be safe in advance.

  FIG. 2 shows a functional configuration of the gateway device 100 of the present embodiment.

  The validity verification unit 102 verifies the validity (also referred to as validity) of the certificate sent from the server 300 to the user terminal 200 at the start of communication by TLS / SSL. When the user terminal 200 tries to start communication with a server 300 indicated by a certain URL (Uniform Resource Locator), in the TLS / SSL mechanism, a communication start notification is first sent from the user terminal 200 to the server 300. Then, a response including the certificate of the server 300 is returned from the server 300 to the user terminal 200. The validity verification unit 102 verifies the validity of the certificate of the server 300. This verification process may be a conventionally known one.

  The verification result DB (database) 104 is a database that records the verification result of the validity verification unit 102. In the verification result DB 104, the URL of the server 300 (URL specified as the connection destination by the user terminal 200 when communication is started), the validity verification result (item “validity”), and the file of the certificate itself, Stored in association with each other. In the “validity” item, “○” indicates that the certificate from the URL is “valid” (“valid”), and “x” indicates that the certificate is “invalid” (“invalid” )).

  The communication availability determination unit 108 determines whether to allow communication between the user terminal 200 and the server 300. This determination is made based on the verification result of the validity verification unit 102 and the information in the policy DB 110.

  In the policy DB 110, the value of the validity policy is registered for each URL of each server 300. In the figure, the URL is simplified to avoid complexity.

  The validity policy is a procedure for communication access from the user terminal 200 to the server 300 (that is, the communication) when the certificate verification in the validity verification unit 102 fails (that is, when the verification result is “invalid”). This is a policy (rule) that defines how to deal with. The value of the validity policy includes, for example, “pass”, “block”, “notification”, and the like. “Pass” indicates that the communication is permitted, and “blocking” indicates that the communication is not permitted (and therefore the communication is blocked). “Notification” allows the communication, but notifies the network administrator or the log recording device of the communication information (for example, the date and time when the communication was performed, the URL of the server 300, the identification information of the user terminal 200). It shows that. For example, for a URL that is known to be safe by the network administrator of the local network 250 in advance, the URL and the validity policy value of “pass” or “notify” may be registered in the policy DB 110. The value of the validity policy is set by the network administrator.

  In the illustrated example, consider a case where, for example, the user terminal 200 accesses a URL “moge.com”. In this example, even if the certificate sent from “moge.com” is determined to be “invalid” by the validity verification unit 102, the value of the validity policy is “notification”. The access is permitted, and information about the access is notified to the network administrator or the like.

  With reference to FIG. 3, the processing procedure of the gateway apparatus 100 in this embodiment is demonstrated.

  This procedure is started when the gateway device 100 detects that the user terminal 200 in the local network 250 has started TLS / SSL communication with the server 300 on the Internet 350 (S10). In this procedure, the validity verification unit 102 verifies the validity of the certificate sent from the server 300 to the user terminal 200 in response to the start of communication (S12). When the result of this verification is “◯” (“valid”), the validity verification unit 102 records the verification result “O” in the verification result DB 104 in association with the URL of the server 300 (S14). When receiving the verification result “◯” from the validity verification unit 102, the communication availability determination unit 108 permits communication access from the user terminal 200 to the server 300 (S16).

  When the verification result in S12 is “×” (“invalid”), the validity verification unit 102 records the value “×” of the verification result in the verification result DB 104 in association with the URL of the server 300. (S18). When receiving the verification result “x” from the validity verification unit 102, the communication availability determination unit 108 determines whether communication is possible based on the validity policy of the policy DB 110 (S20). Here, when the validity policy corresponding to the URL of the communication destination server 300 is not registered (or the URL is not in the policy DB 110), it is determined as “not permitted” (“blocked”). If a validity policy corresponding to the URL of the server 300 is registered, the validity policy value is followed. That is, if the validity policy is “pass”, access from the user terminal 200 to the server 300 is permitted (S16). If the validity policy is “notification”, the communication availability determination unit 108 notifies the network administrator of communication information from the user terminal 200 to the server 300 by e-mail or records it as log data or the like. (S22), the communication is permitted (S16). If the validity policy is “blocking”, the communication from the user terminal 200 to the server 300 is blocked (S24). In this case, an error message indicating that communication is not possible due to security reasons may be notified to the user terminal 200 that is the communication request source.

  Next, a first modification will be described.

  FIG. 4 shows a configuration of the gateway device 100 in the first modification. The difference from the configuration of the embodiment shown in FIG. 2 is that it has a change detection unit 106 and that a change policy is registered in the policy DB 110.

  The change detection unit 106 determines whether or not the certificate of the server 300 verified this time has been changed from the certificate at the previous verification of the same server 300. If the previous and current certificate data match, there is no change, and if they do not match, the data has been changed. The change policy held in the policy DB 110 defines a treatment for communication between the user terminal 200 and the server 300 when the certificate has been changed from the previous time. Possible values of the change policy may be the same as those of the validity policy.

  With reference to FIG. 5, the processing procedure of this modification will be described. In FIG. 5, the same steps as those in the processing procedure of FIG.

  In the procedure of FIG. 5, the processing procedure in which the certificate validation result from the server 300 is “×” (when S12 is NG) is the same as in the above embodiment. When it is determined that the certificate is valid in S12, in this modification, the validity verification unit 102 registers the verification result in the verification result DB 104 (S14), and the change detection unit 106 corresponds to the URL of the server 300. The previously recorded certificate file is acquired from the verification result DB 104 (S30). Then, it is determined whether or not the certificate has been changed by comparing the acquired previous certificate with the certificate verified this time (S32).

  The determination result of S32 is divided into three cases.

  First, there is a case where there is no previous certificate in the verification result DB 104. In this case, the gateway apparatus 100 associates the current certificate with the URL of the server 300 and stores it in the verification result DB 104 (S34), and then permits communication between the user terminal 200 and the server 300 (S16).

  The second case of the determination result of S32 is “no change”. In this case, since the same certificate as the current certificate is already stored in the verification result DB 104, the gateway device 100 (communication availability determination unit 108) skips S34 and permits communication between the user terminal 200 and the server 300. (S16).

  The third case of the determination result in S32 is “changed”. In this case, the change detection unit 106 deletes the previous certificate file corresponding to the URL of the server 300 in the verification result DB 104, and stores the current certificate in association with the URL instead (S36). . Then, the communication feasibility determining unit 108 determines a treatment for the communication in accordance with the change policy corresponding to the URL of the server 300 in the policy DB 110 (S38). In this determination, when the value of the change policy corresponding to the URL of the server 300 is not registered (or the URL is not in the policy DB 110), it is determined that the communication is “not permitted” (“blocked”). When a change policy corresponding to the URL of the server 300 is registered, the policy value is followed. That is, if the change policy is “pass”, access from the user terminal 200 to the server 300 is permitted (S16), and if “notification”, the communication information is notified or recorded to the administrator or the like. (S22), the communication is permitted (S16). If the change policy is “blocking”, communication from the user terminal 200 to the server 300 is blocked (S24). In this case, an error message indicating that communication is not possible due to security reasons may be notified to the user terminal 200 that is the communication request source.

  By defining the change policy, for example, even when the certificate is updated, whether communication is possible or not is controlled in accordance with the network administrator's aim.

  Next, a second modification will be described. The configuration of the gateway device 100 in the second modified example may be the same as the configuration of the above-described embodiment or modified example illustrated in FIG. 2 or FIG.

  In the embodiment described above, the validity policy has only one value that defines the action when the certificate verification result is “invalid”. On the other hand, in this embodiment, the verification result of the certificate is subdivided, and a procedure is defined for each variation of the verification result.

  For example, even if the verification result of the certificate is “invalid”, the root certificate trusted by the gateway device 100 is not reached even after going back in the certificate chain (the certificate of the server 300). May be a self-signed certificate), or the certificate may have expired. In addition, when the URL of the communication destination server 300 and the CN (Common Name) of the certificate do not match, the certificate is included in the revocation list, the certificate data is corrupted, etc. Corresponds to the causal event determined as “invalid”. In this second modification, “invalid” is classified for each such cause event, and the value of the validity policy is set for each cause event.

  FIG. 6 shows an example of data contents of the policy DB 110 in this modification. In the example of FIG. 6, the validity policy for “moge.com” is “pass” when the verification result is “O” (ie, “valid”), and “notification” when “expired (certificate)”. In cases other than these two cases (that is, “invalid” other than “expired”), “blocking” is set.

  In the process of this modification, when the verification result of the certificate of the server 300 is “invalid”, the gateway device 100 checks which case the verification result is subdivided into “invalid”, and the server Among the validity policies corresponding to the 300 URLs, a measure corresponding to the case is selected. For example, when the certificate from the server “moge.com” is “expired” and determined to be “invalid”, the gateway device 100 (communication availability determination unit 108) manages the certificate from the validity policy illustrated in FIG. The communication is permitted after "notifying" the user.

  In addition, the validity policy may be defined by a combination of the verification result and other conditions. For example, when the verification result is “expired”, if the current date and time is within a predetermined length of time from the “expiration date”, communication is permitted (for example, “pass” or “notification” is determined), and the period For example, communication is disallowed ("blocked") after passing.

  As described above, the verification result is divided into cases in detail, and by defining the treatment according to the case, more precise control becomes possible.

  Next, a third modification will be described. In the third modified example, as shown in FIG. 7, an item “forced setting” is provided in the policy DB 110. Possible values of the “forced setting” item may be the same as those of the validity policy and the change policy.

  When a value is set in the “force setting” item in the policy DB 110 for the URL specified by the user terminal 200 as the communication destination, the gateway device 100 sends a certificate sent from the URL (server 300). The validity verification and change detection are omitted, and the communication is controlled according to the value of the item.

  Next, a fourth modification will be described.

  In the above-described embodiment, each time the user terminal 200 tries to communicate with the server 300 by TLS / SSL, the validity of the certificate from the server 300 is verified. Since there are a plurality (in some cases, a very large number) of user terminals 200 on the local network 250, a plurality of communications may be performed with respect to the same server 300 in a short period of time. Since the validity verification processing has a high calculation load, it may not be preferable to verify the same certificate many times in a short period of time because of the capability of the gateway device 100 or the like. Therefore, in this modification, for a certificate that has been verified once, the verification result is omitted for a while after the verification is reused.

  The configuration of the gateway device 100 according to this modification may be the same as that shown in FIGS. In this modified example, as shown in FIG. 8, the date and time when the validity of the certificate was last verified (“verification date”) is recorded in the verification result DB 104. In the example of FIG. 8, the certificate from “moge.com” was last verified at 15:30 on August 2, 2015, and the verification result at that time was “expired”. Are stored with the identification name “file 2”.

  In this modified example, as shown in FIG. 9, “cache validity period” can be registered in the policy DB 110. The “cache validity period” is a period during which the “validity” verification result (cached verification result value) recorded in the verification result DB 104 is regarded as valid. In other words, in this modified example, the validity verification result performed on the “verification date” is trusted as valid from the “verification date” registered in the verification result DB 104 to the “cache validity period”. The validation process is omitted. The value of “cache validity period” may be appropriately determined by the network administrator based on knowledge about the server 300 corresponding to the URL. The “cache validity period” may be set individually for each URL as in the illustrated example, or may be set uniformly regardless of the URL.

  FIG. 10 illustrates the processing procedure of this modification. In this procedure, when the start of the TLS / SSL connection is detected (S10), the communication availability determination unit 108 determines that the “certificate” and “verification date” corresponding to the URL of the server 300 to which the communication is connected are the verification result DB 104. (S40). In S40, it is determined whether the certificate sent from the server 300 at that time matches the certificate stored in the verification result DB 104 in association with the URL. When the “certificate” and the “verification date” corresponding to the connection destination URL are in the verification result DB 104 and the “certificate” matches the certificate sent this time from the URL, the determination result of S40 Becomes “Yes” (Yes). On the other hand, if any one of the conditions is not satisfied, the determination result in S40 is “none” (No).

  When the determination result in S40 is “Yes”, the communication availability determination unit 108 obtains the “cache validity period” corresponding to the URL from the policy DB 110, and the current time is within the “cache validity period” in view of the “verification date”. It is determined whether or not (S42). When the result of this determination is Yes, the communication availability determination unit 108 determines whether or not the verification result (“validity”) corresponding to the URL in the verification result DB 104 is “◯” (“valid”). (S44). If the verification result is “◯”, the communication availability determination unit 108 permits the communication (S16). If the verification result is not “◯”, the process proceeds to S20, and the communication is permitted / blocked according to the validity policy corresponding to the URL. The processes after S20 are the same as those in the above-described embodiment shown in FIG. 3 or FIG.

  Thus, in this modified example, if the verification of the certificate sent from the URL of the connection destination has already been made within the “cache validity period” from the present time, the verification result is trusted and this time The verification of is omitted.

  If the determination result in S40 is “No”, that is, if the certificate sent this time has not been verified in the past, or if it has been verified, it is not within the “cache validity period”, the process proceeds to S12. Next, the validity verification unit 102 verifies the certificate. Then, the verification result and the date and time at that time are recorded in the verification result DB 104 (or the verification result and the verification date and time in the existing entry of the URL are updated) (S14a or S18a). At this time, the certificate is stored in the verification result DB 104 in association with the URL. Subsequent processing is the same as in the above-described embodiment shown in FIG. 3 or FIG.

  The gateway device 100 exemplified above is realized, for example, by causing a built-in computer to execute a program representing the function of each device. Here, the computer includes, as hardware, a microprocessor such as a CPU, a memory (primary storage) such as a random access memory (RAM) and a read only memory (ROM), an HDD controller that controls an HDD (hard disk drive), Various I / O (input / output) interfaces, network interfaces that perform control for connection to a network such as a local area network, and the like have a circuit configuration connected via a bus, for example. Also, portable non-volatile recording of various standards such as a disk drive and a flash memory for reading and / or writing to a portable disk recording medium such as a CD or a DVD via the I / O interface, for example. A memory reader / writer for reading from and / or writing to a medium may be connected. A program in which the processing contents of each functional module exemplified above are described is stored in a fixed storage device such as a hard disk drive via a recording medium such as a CD or DVD, or via a communication means such as a network, and stored in a computer. Installed. The program stored in the fixed storage device is read into the RAM and executed by a microprocessor such as a CPU, thereby realizing the functional module group exemplified above.

  DESCRIPTION OF SYMBOLS 100 Gateway apparatus, 102 Validity verification part, 104 Verification result DB, 106 Change detection part, 108 Communication availability judgment part, 110 Policy DB, 200 User terminal, 250 Local network, 300 Server, 350 Internet.

Claims (6)

Obtaining means for obtaining a public key certificate sent from the first information processing apparatus to the second information processing apparatus;
Control means for controlling whether to permit communication between the first information processing apparatus and the second information processing apparatus when the public key certificate acquired by the acquisition means is not valid;
Including a communication control device.   The control means, when the public key certificate is not valid, according to the policy information indicating the action when the public key certificate is not valid, between the first information processing apparatus and the second information processing apparatus. The communication control apparatus according to claim 1, wherein the communication control apparatus controls whether to permit communication. The policy information indicates the action for each cause event determined that the public key certificate is invalid.
When the public key certificate is not valid, the control means controls whether to permit the communication according to a measure corresponding to a cause event determined to be invalid indicated in the policy information. The communication control apparatus according to claim 2. Storage means for storing the latest public key certificate from the first information processing apparatus verified by the verification means;
When the public key certificate from the first information processing device acquired by the acquisition unit is different from that stored in the storage unit, the control unit discloses the first information processing device. Controlling whether to allow communication between the first information processing apparatus and the second information processing apparatus according to the second policy information indicating the action when the key certificate is changed. The communication control apparatus according to claim 2, wherein the communication control apparatus is characterized. Storage means for storing the latest public key certificate from the first information processing apparatus verified by the verification means, the date and time of the verification, and the verification result;
The control means, when the date and time of verification stored in the storage means for the public key certificate obtained from the first information processing apparatus by the obtaining means is within a predetermined validity period from the current date and time 4, wherein the verification of the public key certificate acquired by the acquisition unit is omitted, and the control is performed according to the verification result stored in the storage unit. The communication control apparatus according to item 1. Computer
Obtaining means for obtaining a public key certificate sent from the first information processing apparatus to the second information processing apparatus;
Control means for controlling whether or not communication between the first information processing apparatus and the second information processing apparatus is permitted when the public key certificate obtained by the obtaining means is not valid;
Program to function as.