Re: [users@httpd] SSL_CLIENT_SAN IP addr validation

Mon, 19 Dec 2016 08:10:03 -0800

If you really put IP address in domain subjectAltName and want to verify it, I suppose expression should be something like this: 


Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}"



--

With Best Regards,
Marat Khalili

On 19/12/16 18:48, Andrei Ivanov wrote:

Hi,

Yes, I did notice the suggestion of using Require expr, the problem is 
that I don't know what expression I could use, with the details 
explained bellow.



Anyway to do this without a variable containing the subjectAltName IP 
address?



Regarding if this actually makes sense or not is a different story, as 
this was decided by other people... :-)




On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <m...@rqc.ru 
<mailto:m...@rqc.ru>> wrote:


    Docs suggest
    <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire>
    using Require expr in place of SSLRequire. Require expr supports
    such variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I
    do not see much sense in issuing or verifying certificates with IP
    address in subjectAltName.

    What you probably want is accepting clients belonging to
    particular group. Issue them certificates with the same
    organizational unit and verify SSL_CLIENT_S_DN_OU as well as
    SSL_CLIENT_S_DN_O.

    --

    With Best Regards,
    Marat Khalili

    On 15/12/16 13:46, Andrei Ivanov wrote:

    Hi,
    I'm trying to validate incoming requests by comparing the request
    IP to the IP addresses provided in the client certificate
    subjectAltName.

    Searching around, I found
    http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
    <http://wiki.cacert.org/ApacheServerClientCertificateAuthentication>,
    which gives an example using the email address:
    SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
               or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
               or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
               or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
               or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/

    But there 2 problems:
    1. the IP addresses are not exported as a variables by mod_ssl
    (see https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
    <https://bz.apache.org/bugzilla/show_bug.cgi?id=60456>)
    2. The number of IP addresses is variable, not sure how I could
    do the check with an expression

    The Apache Httpd is a frontend for a PHP and a Python
    application, so it would be nice to be able to do this filtering
    in one place instead of doing it at the applications level.

    Any suggestions?

    Thank you.



























					Reply via email to