Re: filtering by IP SAN entries in the client certificate

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Thu, Feb 16, 2017 at 11:38 AM, Andrei Ivanov <andrei.ivanov@xxxxxxxxx> wrote:
On Wed, Feb 15, 2017 at 12:46 PM, Daniel Gruno <humbedooh@xxxxxxxxxx> wrote:
On 02/15/2017 11:31 AM, Andrei Ivanov wrote:
> Hi,
> I have a requirement to check incoming requests, something that would be
> succinctly expressed this way:
>
> <Location />
>     Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> </Location>
>
> This would check that the request IP address is among the IP addresses
> in the client certificate.
>
> Unfortunately, this doesn't work:
> 1. SSL_CLIENT_SAN_IPaddr is not exposed by mod_ssl, but I've switched to
> mod_nss, which exports it
> 2. The _expression_ evaluation engine doesn't know how to evaluate this
> kind of _expression_
> 3. I've tried using mod_lua for the _expression_, but it can't access this
> kind of environment variables (and the SSL specific only if exposed by
> mod_ssl, not other modules, like mod_nss)

Have you tried using a rewriterule hack to pass the var?
RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPaddr}]

that would expose it in mod_lua as r.subprocess_env['sanip'], provided
mod_nss actually exposes it.

Good idea, it... almost works (btw, I'm also discussing this topic on the mod_nss list):

Did a quick index.php with a phpinfo() inside it and this is what I get for variables:

_SERVER["SSL_CLIENT_SAN_IPaddr_0"]=127.0.0.1
_SERVER["SSL_CLIENT_SAN_IPaddr_1"]=::1
_SERVER["SSL_CLIENT_SAN_IPaddr_2"]=159.107.78.116
_SERVER["SSL_CLIENT_SAN_IPaddr_3"]=fe80::6d03:4ce1:c15f:5a44
_SERVER["SSL_CLIENT_SAN_Email_0"]=<redacted>
_SERVER["SSL_CLIENT_SAN_Email_1"]=<redacted>

So they are present.

But this still only works for emails, not IPs:
RewriteRule .* - [E=san_email:%{SSL:SSL_CLIENT_SAN_Email_0}]
RewriteRule .* - [E=san_ip:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]

And the Lua part:
r:emerg("san_ip: " .. (r.subprocess_env['san_ip'] or "N/A"));
r:emerg("san_email: " .. (r.subprocess_env['san_email'] or "N/A"));

With the associated log:
[Wed Feb 15 18:54:10.357313 2017] [lua:emerg] [pid 19109] [client 159.107.78.116:63474] san_ip:
[Wed Feb 15 18:54:10.357504 2017] [lua:emerg] [pid 19109] [client 159.107.78.116:63474] san_email: <redacted>

Just an empty string for san_ip :-(

I don't know what else to do to debug this and understand why the IP doesn't get there.
 

Following the debugging suggestion with mod_header, things are getting weirder:
NSSOptions +StdEnvVars
RewriteEngine On
RewriteRule .* - [E=san_email_0:%{SSL:SSL_CLIENT_SAN_Email_0}]
RewriteRule .* - [E=san_email_1:%{SSL:SSL_CLIENT_SAN_Email_1}]
RewriteRule .* - [E=san_ip_0:%{SSL:SSL_CLIENT_SAN_IPaddr_0}]
RewriteRule .* - [E=san_ip_1:%{SSL:SSL_CLIENT_SAN_IPaddr_1}]
RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}]
RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}]
RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}]
RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}]
Header set Client-IP "%{REMOTE_ADDR}e"
Header set Client-SAN-Email-0 "%{SSL_CLIENT_SAN_Email_0}e"
Header set Client-SAN-Email-1 "%{SSL_CLIENT_SAN_Email_1}e"
Header set Client-SAN-IP-0 "%{SSL_CLIENT_SAN_IPaddr_0}e"
Header set Client-SAN-IP-1 "%{SSL_CLIENT_SAN_IPaddr_1}e"
Header set Client-DN "%{SSL_CLIENT_S_DN}s"

I've enabled StdEnvVars unconditionally, with the following results:
    1. The Header _expression_ work properly, the values are correct using the 'e' specifier and not the 's' for SSL

    2. The RewriteRule _expression_ are broken, as can be seen from the Lua script log output:
        [Fri Feb 17 16:21:31.021141 2017] [lua:emerg] [pid 6510] [client 159.107.78.110:65399] san_ip_0:
        [Fri Feb 17 16:21:31.021178 2017] [lua:emerg] [pid 6510] [client 159.107.78.110:65399] san_ip_1:
        [Fri Feb 17 16:21:31.021215 2017] [lua:emerg] [pid 6510] [client 159.107.78.110:65399] san_email_0: <email0>
        [Fri Feb 17 16:21:31.021251 2017] [lua:emerg] [pid 6510] [client 159.107.78.110:65399] san_email_1: <email0>

        The IP addresses are not found at all while the Email addresses are duplicated.
        Removing the SSL: prefix from the expressions doesn't change anything.

Note: mod_ssl is not loaded at all, I've seen some of the modifiers mention that they'll read data from it.
Maybe there's a bug regarding the RewriteRule expressions? I'm using Apache/2.4.6 (Red Hat Enterprise Linux)


>
> I have ran out of ideas on what to try.
>
> Please help.
>
> Thank you.


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux