Anybody? :-/ On Thu, Dec 15, 2016 at 12:46 PM, Andrei Ivanov <andrei.iva...@gmail.com> wrote:
> Hi, > I'm trying to validate incoming requests by comparing the request IP to > the IP addresses provided in the client certificate subjectAltName. > > Searching around, I found http://wiki.cacert.org/ > ApacheServerClientCertificateAuthentication, which gives an example using > the email address: > > SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/ > > But there 2 problems: > 1. the IP addresses are not exported as a variables by mod_ssl (see > https://bz.apache.org/bugzilla/show_bug.cgi?id=60456) > 2. The number of IP addresses is variable, not sure how I could do the > check with an expression > > The Apache Httpd is a frontend for a PHP and a Python application, so it > would be nice to be able to do this filtering in one place instead of doing > it at the applications level. > > Any suggestions? > > Thank you. >