Hi, Yes, I did notice the suggestion of using Require expr, the problem is that I don't know what expression I could use, with the details explained bellow.
Anyway to do this without a variable containing the subjectAltName IP address? Regarding if this actually makes sense or not is a different story, as this was decided by other people... :-) On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <m...@rqc.ru> wrote: > Docs suggest > <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using > Require expr in place of SSLRequire. Require expr supports such variables > as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense > in issuing or verifying certificates with IP address in subjectAltName. > > What you probably want is accepting clients belonging to particular group. > Issue them certificates with the same organizational unit and verify > SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O. > -- > > With Best Regards, > Marat Khalili > > On 15/12/16 13:46, Andrei Ivanov wrote: > > Hi, > I'm trying to validate incoming requests by comparing the request IP to > the IP addresses provided in the client certificate subjectAltName. > > Searching around, I found http://wiki.cacert.org/ > ApacheServerClientCertificateAuthentication, which gives an example using > the email address: > > SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/ > > > But there 2 problems: > 1. the IP addresses are not exported as a variables by mod_ssl (see > https://bz.apache.org/bugzilla/show_bug.cgi?id=60456) > 2. The number of IP addresses is variable, not sure how I could do the > check with an expression > > The Apache Httpd is a frontend for a PHP and a Python application, so it > would be nice to be able to do this filtering in one place instead of doing > it at the applications level. > > Any suggestions? > > Thank you. > > >
