httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Felipe Pereira <felmas...@gmail.com>
Subject [users@httpd] Re: Access control by root CA of the client certificate
Date Sun, 25 Jun 2017 23:20:08 GMT
​L
ast
​message

​I
 sent
​had
 formatting, I'm sorry.

Hi,
In our reverse proxy, we have a virtual host serving more than one Location.

Both locations require client certificate. SSLCACertificateFile includes
all root CAs trusted by both locations.

So, in Location2 I would like to allow access only to certificates where
the chain is:

CLIENT_CERT
\_ INTERMEDIATE_CERT (Issuer)
        \_ ROOT_CA (issuer's Issuer)  <-- can I access this with SSLRequire?

QUESTION: is there a way to control access by the root CA that is on top of
the chain?

I tried SSLRequire but it seems I can't access the root cert, only the
client cert and the intermediate (issuer) using SSL_CLIENT_I_DN.

I tried to use CustomLog and show %{SSL_CLIENT_CHAIN_1} and _2 but only the
intermediate is logged in _1, nothing is logged in _2.

It seems the only way to do this is splitting location2 to another virtual
host where I trust only the required root CA using SSLCACertificateFe would
prefer to avoid that, we don't want to change the web service endpoint
(both locations are web services).

Here's what I was trying:

<VirtualHost ws.my.domain>
  SSLCACertificateFile bundle.crt
    VerifyClient require
    SSLVerifyDepth 3
  <Location /location1>
...
  </Location>
  <Location /location2>
     VerfiyClient require
     SSLRequire %{SSL_CLIENT_CERT_CHAIN_1} == file("root1.pem")
...
  </Location>
</VirtualHost>

​I appreciate​
 any help,
Felipe

Mime
View raw message