SSL_CLIENT_SAN IP addr validation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
I'm trying to validate incoming requests by comparing the request IP to the IP addresses provided in the client certificate subjectAltName.

Searching around, I found http://wiki.cacert.org/ApacheServerClientCertificateAuthentication, which gives an example using the email address:
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
          or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/

But there 2 problems:
1. the IP addresses are not exported as a variables by mod_ssl (see https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
2. The number of IP addresses is variable, not sure how I could do the check with an _expression_

The Apache Httpd is a frontend for a PHP and a Python application, so it would be nice to be able to do this filtering in one place instead of doing it at the applications level.

Any suggestions?

Thank you.
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux