hey guys,
I hope you're all doing fine. I need a little support here on ssl client
verification, tell me please if this is not the right place.
I need to check for specific extensions field value from x509 client
certificates to grant access to defined users.
I read this could be possible using oid() or peerextlist() functions.
I had to determine the field oid using openssl java package, and I'm
trying to debug the sslrequire check using setenfiv module SSI+perl
printenv.pl (maybe there is a better way to do this?).
So, my problem is I can't seem to find a way to validate my client based
on this field.
I was wondering if first: this should work? second: if extension value
is der encoded would apache be able to handle this check and how would I
store the granted values.
I'm using apache 2.2.9. Let me know if you need some more detailed info
on this, I can handle the certificate or my entire configuration file if
needed.
This is what I ended up trying and results:
SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars
SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server-private.key
LogLevel debug
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /ssl/clients/ca.crt
<Location />
SetenvIf OID("2.5.4.5") "(.*)" OIDTEST=$1
SSLRequire "400023144340" in OID("2.5.4.5")
</Location>
[Mon May 10 15:59:43 2010] [info] Access to cgi-bin/printenv.pl denied
for 127.0.0.1 (requirement expression not fulfilled)
[Mon May 10 15:59:43 2010] [info] Failed expression: "400023144340" in
OID("2.5.4.5")
Output if bypassing the sslrequire directive (this should return the oid
matching field value, right?):
OIDTEST=""
Thanks in advance for your help.
Lionel
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager [email protected]
