httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pacicin Chiaricurri <paci...@gmail.com>
Subject Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Date Mon, 19 Dec 2016 15:51:14 GMT
Salam,

Are you related to Nabila Khalili by chance??

On Dec 19, 2016 10:41 AM, "Marat Khalili" <mkh@rqc.ru> wrote:

> Docs suggest
> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
> Require expr in place of SSLRequire. Require expr supports such variables
> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense
> in issuing or verifying certificates with IP address in subjectAltName.
>
> What you probably want is accepting clients belonging to particular group.
> Issue them certificates with the same organizational unit and verify
> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
> --
>
> With Best Regards,
> Marat Khalili
>
> On 15/12/16 13:46, Andrei Ivanov wrote:
>
> Hi,
> I'm trying to validate incoming requests by comparing the request IP to
> the IP addresses provided in the client certificate subjectAltName.
>
> Searching around, I found http://wiki.cacert.org/
> ApacheServerClientCertificateAuthentication, which gives an example using
> the email address:
>
> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/          or %{SSL_CLIENT_S_DN_Email_0}
=~ m/^[^@]*@example\.com$/          or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
         or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/          or %{SSL_CLIENT_S_DN_Email_3}
=~ m/^[^@]*@example\.com$/
>
>
> But there 2 problems:
> 1. the IP addresses are not exported as a variables by mod_ssl (see
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
> 2. The number of IP addresses is variable, not sure how I could do the
> check with an expression
>
> The Apache Httpd is a frontend for a PHP and a Python application, so it
> would be nice to be able to do this filtering in one place instead of doing
> it at the applications level.
>
> Any suggestions?
>
> Thank you.
>
>
>

Mime
View raw message