Salam, Are you related to Nabila Khalili by chance??
On Dec 19, 2016 10:41 AM, "Marat Khalili" <m...@rqc.ru> wrote: > Docs suggest > <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using > Require expr in place of SSLRequire. Require expr supports such variables > as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense > in issuing or verifying certificates with IP address in subjectAltName. > > What you probably want is accepting clients belonging to particular group. > Issue them certificates with the same organizational unit and verify > SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O. > -- > > With Best Regards, > Marat Khalili > > On 15/12/16 13:46, Andrei Ivanov wrote: > > Hi, > I'm trying to validate incoming requests by comparing the request IP to > the IP addresses provided in the client certificate subjectAltName. > > Searching around, I found http://wiki.cacert.org/ > ApacheServerClientCertificateAuthentication, which gives an example using > the email address: > > SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or > %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/ > > > But there 2 problems: > 1. the IP addresses are not exported as a variables by mod_ssl (see > https://bz.apache.org/bugzilla/show_bug.cgi?id=60456) > 2. The number of IP addresses is variable, not sure how I could do the > check with an expression > > The Apache Httpd is a frontend for a PHP and a Python application, so it > would be nice to be able to do this filtering in one place instead of doing > it at the applications level. > > Any suggestions? > > Thank you. > > >
