Return-Path: X-Original-To: archive-asf-public-internal@cust-asf2.ponee.io Delivered-To: archive-asf-public-internal@cust-asf2.ponee.io Received: from cust-asf.ponee.io (cust-asf.ponee.io [163.172.22.183]) by cust-asf2.ponee.io (Postfix) with ESMTP id 77D16200CC1 for ; Mon, 26 Jun 2017 01:20:34 +0200 (CEST) Received: by cust-asf.ponee.io (Postfix) id 6A280160BF4; Sun, 25 Jun 2017 23:20:34 +0000 (UTC) Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by cust-asf.ponee.io (Postfix) with SMTP id 89775160BE0 for ; Mon, 26 Jun 2017 01:20:33 +0200 (CEST) Received: (qmail 25849 invoked by uid 500); 25 Jun 2017 23:20:31 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 25839 invoked by uid 99); 25 Jun 2017 23:20:31 -0000 Received: from pnap-us-west-generic-nat.apache.org (HELO spamd1-us-west.apache.org) (209.188.14.142) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 25 Jun 2017 23:20:31 +0000 Received: from localhost (localhost [127.0.0.1]) by spamd1-us-west.apache.org (ASF Mail Server at spamd1-us-west.apache.org) with ESMTP id 793B1C09A5 for ; Sun, 25 Jun 2017 23:20:31 +0000 (UTC) X-Virus-Scanned: Debian amavisd-new at spamd1-us-west.apache.org X-Spam-Flag: NO X-Spam-Score: 1.879 X-Spam-Level: * X-Spam-Status: No, score=1.879 tagged_above=-999 required=6.31 tests=[DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=2, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001] autolearn=disabled Authentication-Results: spamd1-us-west.apache.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com Received: from mx1-lw-us.apache.org ([10.40.0.8]) by localhost (spamd1-us-west.apache.org [10.40.0.7]) (amavisd-new, port 10024) with ESMTP id C3abMlpDN-b3 for ; Sun, 25 Jun 2017 23:20:30 +0000 (UTC) Received: from mail-it0-f46.google.com (mail-it0-f46.google.com [209.85.214.46]) by mx1-lw-us.apache.org (ASF Mail Server at mx1-lw-us.apache.org) with ESMTPS id 5C9405F6BF for ; Sun, 25 Jun 2017 23:20:30 +0000 (UTC) Received: by mail-it0-f46.google.com with SMTP id m68so10845929ith.1 for ; Sun, 25 Jun 2017 16:20:30 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=ZEhb8xNR0aYKVbtLjcwQ2Gl0UH9/btw64SloPoA60ag=; b=TvaxeYaqZUit3PiH5iqisVYzAG7XowDVOtBbqZiPNtDgRzjcdkQ7dLie2oBYQXr+OZ AaPvg64eDrC6FTGjZ0GC7FbhprGHxgZida7+Jw1QFT9YqPlGSuXks2i4SfqsKLi9hKkv KU02S+Hba4rCJiVeSd4zPMGukFpmxo0wm1ZrwNW8/AFchwo33ln2dAGBXLxJaitqSCu0 Eg4yCZCvvat8Ok7E28rcrYk5oxIjGZGUf98krNivrRaMRlcG1U+V6tobKOEVHjPLF8qp kBfb+KzYrCxmsToL/tlVOlRrTwmsdYONEug2gn1Ej2uMCK4Y9QH+4njz7nqE/MuM5Jke Z1lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=ZEhb8xNR0aYKVbtLjcwQ2Gl0UH9/btw64SloPoA60ag=; b=kJISWQl2kcgE7N23/bSkjxvlTXgxKZWArK6tcRKXbioJvDWhdcynaKH3Yp34SML4OR R9KeXzFZsMrIh6GotPCYfb1ZRszt6qShm+4aA6SQjqxH6k/WD1iqlxrfy5v8OCoxCe6R qFKo5RcjYo0oGQKaqPxvs3bQF8ILZ95mbcK8vgCIDxArOViyLpRIswVqCBVSUFcsmWEs TdnLiBuNHPzflhAWvt5xBCR4VhxF98idcN2F5b8uuIoDp3tmZsfS8jfpKoLnrBwHPBTt fL4kod23aSY+EioJKneAnZzxz08LnzpNdcUq/WvZ2mcDeyoGqROkL/ynFllpEIA/h4Rp jLFA== X-Gm-Message-State: AKS2vOwMtYbtuvpYOdh9e3/EkQejsq6Rv4O/NxCouwBNa/xp5yZaf4Bj BK/7EwMxbuIVthEL9neQGV30jhwHCp9z/2c= X-Received: by 10.36.31.70 with SMTP id d67mr20853410itd.80.1498432829272; Sun, 25 Jun 2017 16:20:29 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.14.21 with HTTP; Sun, 25 Jun 2017 16:20:08 -0700 (PDT) In-Reply-To: References: From: Felipe Pereira Date: Sun, 25 Jun 2017 20:20:08 -0300 Message-ID: To: "users@httpd.apache.org" Content-Type: multipart/alternative; boundary="001a1144a0608237b50552d1145d" Subject: [users@httpd] Re: Access control by root CA of the client certificate archived-at: Sun, 25 Jun 2017 23:20:34 -0000 --001a1144a0608237b50552d1145d Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable =E2=80=8BL ast =E2=80=8Bmessage =E2=80=8BI sent =E2=80=8Bhad formatting, I'm sorry. Hi, In our reverse proxy, we have a virtual host serving more than one Location= . Both locations require client certificate. SSLCACertificateFile includes all root CAs trusted by both locations. So, in Location2 I would like to allow access only to certificates where the chain is: CLIENT_CERT \_ INTERMEDIATE_CERT (Issuer) \_ ROOT_CA (issuer's Issuer) <-- can I access this with SSLRequire= ? QUESTION: is there a way to control access by the root CA that is on top of the chain? I tried SSLRequire but it seems I can't access the root cert, only the client cert and the intermediate (issuer) using SSL_CLIENT_I_DN. I tried to use CustomLog and show %{SSL_CLIENT_CHAIN_1} and _2 but only the intermediate is logged in _1, nothing is logged in _2. It seems the only way to do this is splitting location2 to another virtual host where I trust only the required root CA using SSLCACertificateFe would prefer to avoid that, we don't want to change the web service endpoint (both locations are web services). Here's what I was trying: SSLCACertificateFile bundle.crt VerifyClient require SSLVerifyDepth 3 ... VerfiyClient require SSLRequire %{SSL_CLIENT_CERT_CHAIN_1} =3D=3D file("root1.pem") ... =E2=80=8BI appreciate=E2=80=8B any help, Felipe --001a1144a0608237b50552d1145d Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
=E2=80=8BL
ast
=E2=80=8Bmessage
=C2=A0
=E2=80=8BI
=C2=A0sent
=E2=80=8Bhad=
=C2=A0formatting, I'm sorry.

Hi,
In our rev= erse proxy, we have a virtual host serving more than one Location.

B= oth locations require client certificate. SSLCACertificateFile includes all= root CAs trusted by both locations.

So, in Location2 I would like t= o allow access only to certificates where the chain is:

CLIENT_CERT=
\_ INTERMEDIATE_CERT (Issuer)
=C2=A0 =C2=A0 =C2=A0 =C2=A0 \_ ROOT_= CA (issuer's Issuer) =C2=A0<-- can I access this with SSLRequire?
QUESTION: is there a way to control access by the root CA that is on t= op of the chain?

I tried SSLRequire but it seems I can't access= the root cert, only the client cert and the intermediate (issuer) using SS= L_CLIENT_I_DN.

I tried to use CustomLog and show %{SSL_CLIENT_CHAIN_= 1} and _2 but only the intermediate is logged in _1, nothing is logged in _= 2.

It seems the only way to do this is splitting location2 to anothe= r virtual host where I trust only the required root CA using SSLCACertifica= teFe would prefer to avoid that, we don't want to change the web servic= e endpoint (both locations are web services).

Here's what I was = trying:

<VirtualHost ws.my.domain>
=C2=A0 SSLCACertificateF= ile bundle.crt
=C2=A0 =C2=A0 VerifyClient require
=C2=A0 =C2=A0 SSLVe= rifyDepth 3
=C2=A0 <Location /location1>
...
=C2=A0 </Loc= ation>
=C2=A0 <Location /location2>
=C2=A0 =C2=A0 =C2=A0Verf= iyClient require
=C2=A0 =C2=A0 =C2=A0SSLRequire %{SSL_CLIENT_CERT_CHAIN_= 1} =3D=3D file("root1.pem")
...
=C2=A0 </Location></VirtualHost>

=E2=80=8BI a= ppreciate=E2=80=8B
=C2=A0any help,
Felipe
--001a1144a0608237b50552d1145d--