Hmm, Are you suggesting to put the IP address with the DNS prefix instead of the proper IP prefix?
Also what about the possibility of having a variable number of addresses there? It would have been nice to have something like "%{REMOTE_ADDR} in %{ SSL_CLIENT_SAN_IPaddrs}", where SSL_CLIENT_SAN_IPaddrs would be an array with the addresses and 'in' would be the 'array contains' operator. On Mon, Dec 19, 2016 at 6:09 PM, Marat Khalili <m...@rqc.ru> wrote: > If you really put IP address in domain subjectAltName and want to verify > it, I suppose expression should be something like this: > > Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}" > > > -- > > With Best Regards, > Marat Khalili > > On 19/12/16 18:48, Andrei Ivanov wrote: > > Hi, > Yes, I did notice the suggestion of using Require expr, the problem is > that I don't know what expression I could use, with the details explained > bellow. > > Anyway to do this without a variable containing the subjectAltName IP > address? > > Regarding if this actually makes sense or not is a different story, as > this was decided by other people... :-) > > > On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <m...@rqc.ru> wrote: > >> Docs suggest >> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using >> Require expr in place of SSLRequire. Require expr supports such variables >> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense >> in issuing or verifying certificates with IP address in subjectAltName. >> >> What you probably want is accepting clients belonging to particular >> group. Issue them certificates with the same organizational unit and verify >> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O. >> -- >> >> With Best Regards, >> Marat Khalili >> >> On 15/12/16 13:46, Andrei Ivanov wrote: >> >> Hi, >> I'm trying to validate incoming requests by comparing the request IP to >> the IP addresses provided in the client certificate subjectAltName. >> >> Searching around, I found >> <http://wiki.cacert.org/ApacheServerClientCertificateAuthentication> >> http://wiki.cacert.org/ApacheServerClientCertificateAuthentication, >> which gives an example using the email address: >> >> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or >> %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or >> %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or >> %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or >> %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/ >> >> >> But there 2 problems: >> 1. the IP addresses are not exported as a variables by mod_ssl (see >> <https://bz.apache.org/bugzilla/show_bug.cgi?id=60456> >> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456) >> 2. The number of IP addresses is variable, not sure how I could do the >> check with an expression >> >> The Apache Httpd is a frontend for a PHP and a Python application, so it >> would be nice to be able to do this filtering in one place instead of doing >> it at the applications level. >> >> Any suggestions? >> >> Thank you. >> >> >> > >