Re: [Mod_nss-list] SSL_CLIENT_SAN_IPAddr

Wed, 15 Feb 2017 06:09:19 -0800 

On Wed, Feb 15, 2017 at 1:24 PM, Andrei Ivanov <[email protected]>
wrote:

> Hi,
> I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss
> should expose, from a Lua authorization script.
> The problem is that it doesn't seem to work :-(
>
> Following a suggestion from the users group, I used some RewriteRule to
> expose variables and some are visible, but the client SAN IP addresses are
> not:
>
>
I've also tried with SSL_CLIENT_SAN_IPaddr_0, as the source code seems to
be using it, still no luck :-(
I've checked with SSL_CLIENT_SAN_Email_0 and that works, so it might be an
IP address type issue (?)

LuaScope thread
> LuaAuthzProvider remote_ip_in_client_san 
> /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> authz_check_remote_ip_in_client_san
> RewriteEngine On
> RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}]
> RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}]
> RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}]
> RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}]
> RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}]
> <Location />
>     Require remote_ip_in_client_san
>     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
>     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> </Location>
>
> The generated log:
> [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14
> [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC
> [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS
> [Wed Feb 15 13:14:07.653881 2017] client DN: CN=client-with-subjectAltName-
> with-IPs
> [Wed Feb 15 13:14:07.653886 2017] sanip:
>
> Initially I hoped that mod_nss would expose all the SAN IP addresses as an
> array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually should
> create a variable for each, with a suffix (SSL_CLIENT_SAN_IPAddr_0), but
> that doesn't seem to be available either.
>
> What am I doing wrong?
> Please help.
>
> Thank you.
>

_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list

Reply via email to