Andrei Ivanov wrote: > > On Wed, Feb 15, 2017 at 6:31 PM, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Andrei Ivanov wrote: > > Hi, > > I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss > > should expose, from a Lua authorization script. > > The problem is that it doesn't seem to work :-( > > > > Following a suggestion from the users group, I used some > RewriteRule to > > expose variables and some are visible, but the client SAN IP addresses > > are not: > > > > LuaScope thread > > LuaAuthzProvider remote_ip_in_client_san > > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua > > authz_check_remote_ip_in_client_san > > RewriteEngine On > > RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}] > > RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}] > > RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}] > > RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}] > > RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}] > > <Location /> > > Require remote_ip_in_client_san > > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} > > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > </Location> > > > > The generated log: > > [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14 > > [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC > > [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS > > [Wed Feb 15 13:14:07.653881 2017] client DN: > > CN=client-with-subjectAltName-with-IPs > > [Wed Feb 15 13:14:07.653886 2017] sanip: > > > > Initially I hoped that mod_nss would expose all the SAN IP > addresses as > > an array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually > > should create a variable for each, with a suffix > > (SSL_CLIENT_SAN_IPAddr_0), but that doesn't seem to be available > either. > > > > What am I doing wrong? > > Please help. > > Are the variables case-sensitive with rewrite rules? IF so you have a > typo, IPAddr vs IPaddr. > > As far as I can tell the variable should be available. > > rob > > > I've also tried with SSL_CLIENT_SAN_IPaddr_0, as the source code seems > to be using it (as oposed to the documentation), still no luck :-( > I've checked with SSL_CLIENT_SAN_Email_0 and that works, so it might be > an IP address type issue (?)
You can try to confirm by creating a short cgi that prints the environment and requires a client cert and pointing your client at that to see what comes out. rob _______________________________________________ Mod_nss-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/mod_nss-list
