Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Andrei Ivanov
I think the nicest way would be like mod_ssl does with PeerExtList: Example SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6") So at least it's nice to know Apache Httpd already does this in some cases. I guess I'll update my ticket, or maybe create a new one for all the subjectAltName variables.

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Marat Khalili
As additional benefit, when you will be able to issue certificates with regular expressions matching whole subnets! :) -- With Best Regards, Marat Khalili On 19/12/16 20:41, Marat Khalili wrote: Are you suggesting to put the IP address with the DNS prefix instead of the proper IP prefix? Act

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Marat Khalili
Are you suggesting to put the IP address with the DNS prefix instead of the proper IP prefix? Actually, I was not aware of official possibility of having an IP address in subjectAltName until 5 minutes ago :) But since Apache developers also didn't provide for this, using DNS prefix is definitel

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Andrei Ivanov
Hmm, Are you suggesting to put the IP address with the DNS prefix instead of the proper IP prefix? Also what about the possibility of having a variable number of addresses there? It would have been nice to have something like "%{REMOTE_ADDR} in %{ SSL_CLIENT_SAN_IPaddrs}", where SSL_CLIENT_SAN_IPa

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Marat Khalili
If you really put IP address in domain subjectAltName and want to verify it, I suppose expression should be something like this: Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}" -- With Best Regards, Marat Khalili On 19/12/16 18:48, Andrei Ivanov wrote: Hi, Yes, I did notice the s

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Pacicin Chiaricurri
Salam, Are you related to Nabila Khalili by chance?? On Dec 19, 2016 10:41 AM, "Marat Khalili" wrote: > Docs suggest > using > Require expr in place of SSLRequire. Require expr supports such variables > as REMOTE_ADDR and CONN_REMO

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Andrei Ivanov
Hi, Yes, I did notice the suggestion of using Require expr, the problem is that I don't know what expression I could use, with the details explained bellow. Anyway to do this without a variable containing the subjectAltName IP address? Regarding if this actually makes sense or not is a different

Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-19 Thread Marat Khalili
Docs suggest using Require expr in place of SSLRequire. Require expr supports such variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense in issuing or verifying certificates with IP address in subject

[users@httpd] SSL_CLIENT_SAN IP addr validation

2016-12-15 Thread Andrei Ivanov
Hi, I'm trying to validate incoming requests by comparing the request IP to the IP addresses provided in the client certificate subjectAltName. Searching around, I found http://wiki.cacert.org/ApacheServerClientCertificateAuthentication, which gives an example using the email address: SSLRequire