Re: [Mod_nss-list] SSL_CLIENT_SAN_IPAddr

Wed, 15 Feb 2017 08:36:59 -0800 

On Wed, Feb 15, 2017 at 6:31 PM, Rob Crittenden <[email protected]> wrote:

> Andrei Ivanov wrote:
> > Hi,
> > I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss
> > should expose, from a Lua authorization script.
> > The problem is that it doesn't seem to work :-(
> >
> > Following a suggestion from the users group, I used some RewriteRule to
> > expose variables and some are visible, but the client SAN IP addresses
> > are not:
> >
> > LuaScope thread
> > LuaAuthzProvider remote_ip_in_client_san
> > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> > authz_check_remote_ip_in_client_san
> > RewriteEngine On
> > RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}]
> > RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}]
> > RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}]
> > RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}]
> > RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}]
> > <Location />
> >     Require remote_ip_in_client_san
> >     #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> >     #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> > </Location>
> >
> > The generated log:
> > [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14
> > [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC
> > [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS
> > [Wed Feb 15 13:14:07.653881 2017] client DN:
> > CN=client-with-subjectAltName-with-IPs
> > [Wed Feb 15 13:14:07.653886 2017] sanip:
> >
> > Initially I hoped that mod_nss would expose all the SAN IP addresses as
> > an array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually
> > should create a variable for each, with a suffix
> > (SSL_CLIENT_SAN_IPAddr_0), but that doesn't seem to be available either.
> >
> > What am I doing wrong?
> > Please help.
>
> Are the variables case-sensitive with rewrite rules? IF so you have a
> typo, IPAddr vs IPaddr.
>
> As far as I can tell the variable should be available.
>
> rob
>
>
I've also tried with SSL_CLIENT_SAN_IPaddr_0, as the source code seems to
be using it (as oposed to the documentation), still no luck :-(
I've checked with SSL_CLIENT_SAN_Email_0 and that works, so it might be an
IP address type issue (?)

_______________________________________________
Mod_nss-list mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/mod_nss-list

Reply via email to