On Tue, Mar 23, 1999, Owen Williams wrote:
> I'm trying to reject users who have certifcates but have abused their
> privalegue. From within my virtualhost I have:
>
> <Directory /home/www/virtual/secure/secure>
> # Reject Banned Users
> SSLRequire (!( %{SSL_CLIENT_S_DN_Email} in {
>file("/home/www/virtual/secure/secure/ssl/BannedUsers") } ))
> </Directory>
>
> This file is just a list of email addresses. This has no effect even if I
> remove the '!'. I have switched trace (or debug) logging on but I don't
> see anything related to SSLRequire.
>
> Any ideas?
Hmmm... yes, although the above construct is syntacically correct, it's not
exactly what you want. The file() construct expands to a single word in the
"in {}" list. So, the expression actually tests nother more than whether
%{SSL_CLIENT_S_DN_Email} is equal the file's contents
(which obviously never is because in this a list exists, I addresses one per
line). So what you've to inline the email-addresses until I implement some
sort of a real map lookup as in mod_rewrite:
SSLRequire not ( %{SSL_CLIENT_S_DN_Email} in { \
"foo1@bar", "baz1@quux" \
"foo2@bar", "baz2@quux" \
"foo3@bar", "baz3@quux" \
} )
Currently the file() stuff is very rudimentary and actually useful only to
check a while certificiate against a file containing the PEM version of it.
Ralf S. Engelschall
[EMAIL PROTECTED]
www.engelschall.com
______________________________________________________________________
Apache Interface to SSLeay (mod_ssl) www.engelschall.com/sw/mod_ssl/
Official Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
