httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrei Ivanov <andrei.iva...@gmail.com>
Subject Re: [users@httpd] filtering by IP SAN entries in the client certificate
Date Fri, 17 Feb 2017 14:30:13 GMT
On Thu, Feb 16, 2017 at 11:38 AM, Andrei Ivanov <andrei.ivanov@gmail.com>
wrote:

> On Wed, Feb 15, 2017 at 12:46 PM, Daniel Gruno <humbedooh@apache.org>
> wrote:
>
>> On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
>> > Hi,
>> > I have a requirement to check incoming requests, something that would be
>> > succinctly expressed this way:
>> >
>> > <Location />
>> >     Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
>> > </Location>
>> >
>> > This would check that the request IP address is among the IP addresses
>> > in the client certificate.
>> >
>> > Unfortunately, this doesn't work:
>> > 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
>> > mod_nss, which exports it
>> > 2. The expression evaluation engine doesn't know how to evaluate this
>> > kind of expression
>> > 3. I've tried using mod_lua for the expression, but it can't access this
>> > kind of environment variables (and the SSL specific only if exposed by
>> > mod_ssl, not other modules, like mod_nss)
>>
>> Have you tried using a rewriterule hack to pass the var?
>> RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]
>>
>> that would expose it in mod_lua as r.subprocess_env['sanip'], provided
>> mod_nss actually exposes it.
>>
>
> Good idea, it... almost works (btw, I'm also discussing this topic on the
> mod_nss list):
>
> Did a quick index.php with a phpinfo() inside it and this is what I get
> for variables:
>
> _SERVER["SSL_CLIENT_SAN_IPaddr_0"]=127.0.0.1
> _SERVER["SSL_CLIENT_SAN_IPaddr_1"]=::1
> _SERVER["SSL_CLIENT_SAN_IPaddr_2"]=159.107.78.116
> _SERVER["SSL_CLIENT_SAN_IPaddr_3"]=fe80::6d03:4ce1:c15f:5a44
> _SERVER["SSL_CLIENT_SAN_Email_0"]=<redacted>
> _SERVER["SSL_CLIENT_SAN_Email_1"]=<redacted>
>
> So they are present.
>
> But this still only works for emails, not IPs:
> RewriteRule .* - [E=san_email:%{SSL:SSL_CLIENT_SAN_Email_0}]
> RewriteRule .* - [E=san_ip:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]
>
> And the Lua part:
> r:emerg("san_ip: " .. (r.subprocess_env['san_ip'] or "N/A"));
> r:emerg("san_email: " .. (r.subprocess_env['san_email'] or "N/A"));
>
> With the associated log:
> [Wed Feb 15 18:54:10.357313 2017] [lua:emerg] [pid 19109] [client
> 159.107.78.116:63474] san_ip:
> [Wed Feb 15 18:54:10.357504 2017] [lua:emerg] [pid 19109] [client
> 159.107.78.116:63474] san_email: <redacted>
>
> Just an empty string for san_ip :-(
>
> I don't know what else to do to debug this and understand why the IP
> doesn't get there.
>
>

Following the debugging suggestion with mod_header, things are getting
weirder:
NSSOptions +StdEnvVars
RewriteEngine On
RewriteRule .* - [E=san_email_0:%{SSL:SSL_CLIENT_SAN_Email_0}]
RewriteRule .* - [E=san_email_1:%{SSL:SSL_CLIENT_SAN_Email_1}]
RewriteRule .* - [E=san_ip_0:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]
RewriteRule .* - [E=san_ip_1:%{SSL:SSL_CLIENT_SAN_IPaddr_1}]
RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}]
RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}]
RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}]
RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}]
Header set Client-IP "%{REMOTE_ADDR}e"
Header set Client-SAN-Email-0 "%{SSL_CLIENT_SAN_Email_0}e"
Header set Client-SAN-Email-1 "%{SSL_CLIENT_SAN_Email_1}e"
Header set Client-SAN-IP-0 "%{SSL_CLIENT_SAN_IPaddr_0}e"
Header set Client-SAN-IP-1 "%{SSL_CLIENT_SAN_IPaddr_1}e"
Header set Client-DN "%{SSL_CLIENT_S_DN}s"

I've enabled StdEnvVars unconditionally, with the following results:
    1. The Header expression work properly, the values are correct using
the 'e' specifier and not the 's' for SSL

    2. The RewriteRule expression are broken, as can be seen from the Lua
script log output:
        [Fri Feb 17 16:21:31.021141 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_ip_0:
        [Fri Feb 17 16:21:31.021178 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_ip_1:
        [Fri Feb 17 16:21:31.021215 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_email_0: <email0>
        [Fri Feb 17 16:21:31.021251 2017] [lua:emerg] [pid 6510] [client
159.107.78.110:65399] san_email_1: <email0>

        The IP addresses are not found at all while the Email addresses are
duplicated.
        Removing the SSL: prefix from the expressions doesn't change
anything.

Note: mod_ssl is not loaded at all, I've seen some of the modifiers mention
that they'll read data from it.
Maybe there's a bug regarding the RewriteRule expressions? I'm using
Apache/2.4.6 (Red Hat Enterprise Linux)


>> >
>> > I have ran out of ideas on what to try.
>> >
>> > Please help.
>> >
>> > Thank you.
>>
>>

Mime
View raw message