Hello, We are trying to set up mod_ssl to get some "proper" access to two classes of users.
First, everybody must use client certs (signed by our CA). Client cert control is okay and works properly (SSLVerifyClient require, SSLVerifyDepth 1 and such). Now, we have two classes of client certs, based on the OU. Say, OU="Class 1" and OU="Class 2". We want to allow : - all users with "Class 1" certificates, and - users with "Class 2" certs ONLY when they are browsing from some IP addresses. Those IP addresses are not known in advance, and may be dynamic. Let's say we have an external list (updated by some mean, irrelevant to our problem). How can we check this list and correlate it with the OU from the client cert ? We thought that something like SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1" or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2" and %{REMOTE_ADDR} in { file("/tmp/list") } ) (where /tmp/list is a list of allowed IP addresses) would be the way to go, but this utterly fails. Mod_ssl properly opens the file (strace shows that), but even when the browser is coming from an IP in the list, no access is granted. Is this a problem coming from the file's content (syntax ?), or are we wrong in our thinking ? And then, what would be the way to go ? Tia, -- FdL __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]