On Mon, Feb 13, 2017 at 10:00 PM, Rob Crittenden <[email protected]>
wrote:
> Andrei Ivanov wrote:
> > Hi,
> > I'm trying to configure a virtual host to perform some kind of mutual
> > authentication using client certificates, performing an extra type of
> > validation:
> >
> > <Location />
> > NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> > </Location>
> >
> > The problem at the moment seems to be that this expression is considered
> > invalid :-(
> >
> > I've also tried with
> > Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> >
> > Still error :-(
> >
> > AH00526: Syntax error on line 174 of /etc/httpd/conf.d/nss.conf:
> > Cannot parse expression in require line: syntax error, unexpected $end
> >
> > Is this kind of expression really not supported?
> > What are my options for such an expression?
>
> This isn't supported and I imagine the parsing engine would need to be
> extended quite a bit to do so.
>
> I don't know of a dynamic way to do this, you'd have to hardcode the SAN
> list into the config.
>
> rob
>
>
Uf, the idea was to have each client certificate hold the list of IPs for
which it is valid, similar to the DNS entries.
And I was so happy seeing that mod_nss exports the SSL_CLIENT_SAN_IPaddr
(and as an array) vs mod_ssl.
I guess I'll create a ticket to get this kind of expression supported, but
I won't count on getting it implemented.
Thank you.
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
