Hmm,
Are you suggesting to put the IP address with the DNS prefix instead of the
proper IP prefix?
Also what about the possibility of having a variable number of addresses
there?
It would have been nice to have something like "%{REMOTE_ADDR} in %{
SSL_CLIENT_SAN_IPaddrs}",
where SSL_CLIENT_SAN_IPaddrs would be an array with the addresses and 'in'
would be the 'array contains' operator.
On Mon, Dec 19, 2016 at 6:09 PM, Marat Khalili <m...@rqc.ru> wrote:
> If you really put IP address in domain subjectAltName and want to verify
> it, I suppose expression should be something like this:
>
> Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}"
>
>
> --
>
> With Best Regards,
> Marat Khalili
>
> On 19/12/16 18:48, Andrei Ivanov wrote:
>
> Hi,
> Yes, I did notice the suggestion of using Require expr, the problem is
> that I don't know what expression I could use, with the details explained
> bellow.
>
> Anyway to do this without a variable containing the subjectAltName IP
> address?
>
> Regarding if this actually makes sense or not is a different story, as
> this was decided by other people... :-)
>
>
> On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <m...@rqc.ru> wrote:
>
>> Docs suggest
>> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
>> Require expr in place of SSLRequire. Require expr supports such variables
>> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense
>> in issuing or verifying certificates with IP address in subjectAltName.
>>
>> What you probably want is accepting clients belonging to particular
>> group. Issue them certificates with the same organizational unit and verify
>> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 15/12/16 13:46, Andrei Ivanov wrote:
>>
>> Hi,
>> I'm trying to validate incoming requests by comparing the request IP to
>> the IP addresses provided in the client certificate subjectAltName.
>>
>> Searching around, I found
>> <http://wiki.cacert.org/ApacheServerClientCertificateAuthentication>
>> http://wiki.cacert.org/ApacheServerClientCertificateAuthentication,
>> which gives an example using the email address:
>>
>> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or
>> %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or
>> %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or
>> %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or
>> %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>>
>>
>> But there 2 problems:
>> 1. the IP addresses are not exported as a variables by mod_ssl (see
>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=60456>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
>> 2. The number of IP addresses is variable, not sure how I could do the
>> check with an expression
>>
>> The Apache Httpd is a frontend for a PHP and a Python application, so it
>> would be nice to be able to do this filtering in one place instead of doing
>> it at the applications level.
>>
>> Any suggestions?
>>
>> Thank you.
>>
>>
>>
>
>
