Docs suggest
<https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
Require expr in place of SSLRequire. Require expr supports such
variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see
much sense in issuing or verifying certificates with IP address in
subjectAltName.
What you probably want is accepting clients belonging to particular
group. Issue them certificates with the same organizational unit and
verify SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
--
With Best Regards,
Marat Khalili
On 15/12/16 13:46, Andrei Ivanov wrote:
Hi,
I'm trying to validate incoming requests by comparing the request IP
to the IP addresses provided in the client certificate subjectAltName.
Searching around, I found
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication,
which gives an example using the email address:
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
But there 2 problems:
1. the IP addresses are not exported as a variables by mod_ssl (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
2. The number of IP addresses is variable, not sure how I could do the
check with an expression
The Apache Httpd is a frontend for a PHP and a Python application, so
it would be nice to be able to do this filtering in one place instead
of doing it at the applications level.
Any suggestions?
Thank you.