Hi,
I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss
should expose, from a Lua authorization script.
The problem is that it doesn't seem to work :-(
Following a suggestion from the users group, I used some RewriteRule to
expose variables and some are visible, but the client SAN IP addresses are
not:
LuaScope thread
LuaAuthzProvider remote_ip_in_client_san
/etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
authz_check_remote_ip_in_client_san
RewriteEngine On
RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}]
RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}]
RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}]
RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}]
RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}]
<Location />
Require remote_ip_in_client_san
#NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
#Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
</Location>
The generated log:
[Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14
[Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC
[Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS
[Wed Feb 15 13:14:07.653881 2017] client DN:
CN=client-with-subjectAltName-with-IPs
[Wed Feb 15 13:14:07.653886 2017] sanip:
Initially I hoped that mod_nss would expose all the SAN IP addresses as an
array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually should
create a variable for each, with a suffix (SSL_CLIENT_SAN_IPAddr_0), but
that doesn't seem to be available either.
What am I doing wrong?
Please help.
Thank you.
_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list
