httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Ivanov <andrei.iva...@gmail.com>
Subject Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Date Mon, 19 Dec 2016 21:18:03 GMT
I think the nicest way would be like mod_ssl does with PeerExtList:

Example
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")

So at least it's nice to know Apache Httpd already does this in some cases.

I guess I'll update my ticket, or maybe create a new one for all
the subjectAltName variables.

Thanks for the help.

On Mon, Dec 19, 2016 at 7:48 PM, Marat Khalili <mkh@rqc.ru> wrote:

> As additional benefit, when you will be able to issue certificates with
> regular expressions matching whole subnets! :)
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 19/12/16 20:41, Marat Khalili wrote:
>
>> Are you suggesting to put the IP address with the DNS prefix instead of
>>> the proper IP prefix?
>>>
>> Actually, I was not aware of official possibility of having an IP address
>> in subjectAltName until 5 minutes ago :) But since Apache developers also
>> didn't provide for this, using DNS prefix is definitely an option.
>>
>> Also what about the possibility of having a variable number of addresses
>>> there?
>>>
>> Provided you are not going to have too many SANs, quick and dirty
>> solution would be:
>>
>>> Require expr "%{REMOTE_ADDR} =~ /^(%{SSL_CLIENT_SAN_DNS_1}|%{S
>>> SL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_
>>> SAN_DNS_4}|...)$/"
>>>
>> (Missing variables will expand to empty strings). I hope  I know it's
>> ugly as hell, but so are client certificates with multiple IP address
>> aliases.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>

Mime
View raw message