httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Ivanov <andrei.iva...@gmail.com>
Subject [users@httpd] SSL_CLIENT_SAN IP addr validation
Date Thu, 15 Dec 2016 10:46:25 GMT
Hi,
I'm trying to validate incoming requests by comparing the request IP to the
IP addresses provided in the client certificate subjectAltName.

Searching around, I found
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication, which
gives an example using the email address:

SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
 or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/          or
%{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/          or
%{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/          or
%{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/

But there 2 problems:
1. the IP addresses are not exported as a variables by mod_ssl (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
2. The number of IP addresses is variable, not sure how I could do the
check with an expression

The Apache Httpd is a frontend for a PHP and a Python application, so it
would be nice to be able to do this filtering in one place instead of doing
it at the applications level.

Any suggestions?

Thank you.

Mime
View raw message