httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Date Mon, 19 Dec 2016 17:41:24 GMT
> Are you suggesting to put the IP address with the DNS prefix instead 
> of the proper IP prefix?
Actually, I was not aware of official possibility of having an IP 
address in subjectAltName until 5 minutes ago :) But since Apache 
developers also didn't provide for this, using DNS prefix is definitely 
an option.

> Also what about the possibility of having a variable number of 
> addresses there?
Provided you are not going to have too many SANs, quick and dirty 
solution would be:
> Require expr "%{REMOTE_ADDR} =~ 
> /^(%{SSL_CLIENT_SAN_DNS_1}|%{SSL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_SAN_DNS_4}|...)$/"
(Missing variables will expand to empty strings). I hope  I know it's 
ugly as hell, but so are client certificates with multiple IP address 
aliases.

--

With Best Regards,
Marat Khalili


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message