httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marat Khalili <...@rqc.ru>
Subject Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Date Mon, 19 Dec 2016 16:09:17 GMT
If you really put IP address in domain subjectAltName and want to verify 
it, I suppose expression should be something like this:

> Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}"


--

With Best Regards,
Marat Khalili

On 19/12/16 18:48, Andrei Ivanov wrote:
> Hi,
> Yes, I did notice the suggestion of using Require expr, the problem is 
> that I don't know what expression I could use, with the details 
> explained bellow.
>
> Anyway to do this without a variable containing the subjectAltName IP 
> address?
>
> Regarding if this actually makes sense or not is a different story, as 
> this was decided by other people... :-)
>
>
> On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <mkh@rqc.ru 
> <mailto:mkh@rqc.ru>> wrote:
>
>     Docs suggest
>     <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire>
>     using Require expr in place of SSLRequire. Require expr supports
>     such variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I
>     do not see much sense in issuing or verifying certificates with IP
>     address in subjectAltName.
>
>     What you probably want is accepting clients belonging to
>     particular group. Issue them certificates with the same
>     organizational unit and verify SSL_CLIENT_S_DN_OU as well as
>     SSL_CLIENT_S_DN_O.
>
>     --
>
>     With Best Regards,
>     Marat Khalili
>
>     On 15/12/16 13:46, Andrei Ivanov wrote:
>>     Hi,
>>     I'm trying to validate incoming requests by comparing the request
>>     IP to the IP addresses provided in the client certificate
>>     subjectAltName.
>>
>>     Searching around, I found
>>     http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
>>     <http://wiki.cacert.org/ApacheServerClientCertificateAuthentication>,
>>     which gives an example using the email address:
>>     SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
>>                or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
>>                or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
>>                or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
>>                or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>>
>>     But there 2 problems:
>>     1. the IP addresses are not exported as a variables by mod_ssl
>>     (see https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
>>     <https://bz.apache.org/bugzilla/show_bug.cgi?id=60456>)
>>     2. The number of IP addresses is variable, not sure how I could
>>     do the check with an expression
>>
>>     The Apache Httpd is a frontend for a PHP and a Python
>>     application, so it would be nice to be able to do this filtering
>>     in one place instead of doing it at the applications level.
>>
>>     Any suggestions?
>>
>>     Thank you.
>
>


Mime
View raw message