httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Date Mon, 19 Dec 2016 17:48:25 GMT
As additional benefit, when you will be able to issue certificates with 
regular expressions matching whole subnets! :)

--

With Best Regards,
Marat Khalili


On 19/12/16 20:41, Marat Khalili wrote:
>> Are you suggesting to put the IP address with the DNS prefix instead 
>> of the proper IP prefix?
> Actually, I was not aware of official possibility of having an IP 
> address in subjectAltName until 5 minutes ago :) But since Apache 
> developers also didn't provide for this, using DNS prefix is 
> definitely an option.
>
>> Also what about the possibility of having a variable number of 
>> addresses there?
> Provided you are not going to have too many SANs, quick and dirty 
> solution would be:
>> Require expr "%{REMOTE_ADDR} =~ 
>> /^(%{SSL_CLIENT_SAN_DNS_1}|%{SSL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_SAN_DNS_4}|...)$/"
> (Missing variables will expand to empty strings). I hope  I know it's 
> ugly as hell, but so are client certificates with multiple IP address 
> aliases.
>
> -- 
>
> With Best Regards,
> Marat Khalili
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message