hey guys, I hope you're all doing fine. I need a little support here on ssl client verification, tell me please if this is not the right place.
I need to check for specific extensions field value from x509 client certificates to grant access to defined users. I read this could be possible using oid() or peerextlist() functions. I had to determine the field oid using openssl java package, and I'm trying to debug the sslrequire check using setenfiv module SSI+perl printenv.pl (maybe there is a better way to do this?). So, my problem is I can't seem to find a way to validate my client based on this field. I was wondering if first: this should work? second: if extension value is der encoded would apache be able to handle this check and how would I store the granted values. I'm using apache 2.2.9. Let me know if you need some more detailed info on this, I can handle the certificate or my entire configuration file if needed. This is what I ended up trying and results: SSLEngine on SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars SSLCertificateFile ssl/server.crt SSLCertificateKeyFile ssl/server-private.key LogLevel debug SSLVerifyClient require SSLVerifyDepth 2 SSLCACertificateFile /ssl/clients/ca.crt <Location /> SetenvIf OID("2.5.4.5") "(.*)" OIDTEST=$1 SSLRequire "400023144340" in OID("2.5.4.5") </Location> [Mon May 10 15:59:43 2010] [info] Access to cgi-bin/printenv.pl denied for 127.0.0.1 (requirement expression not fulfilled) [Mon May 10 15:59:43 2010] [info] Failed expression: "400023144340" in OID("2.5.4.5") Output if bypassing the sslrequire directive (this should return the oid matching field value, right?): OIDTEST="" Thanks in advance for your help. Lionel ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org