I think the nicest way would be like mod_ssl does with PeerExtList:
Example
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
So at least it's nice to know Apache Httpd already does this in some cases.
I guess I'll update my ticket, or maybe create a new one for all
the subjectAltName variables.
Thanks for the help.
On Mon, Dec 19, 2016 at 7:48 PM, Marat Khalili <m...@rqc.ru> wrote:
> As additional benefit, when you will be able to issue certificates with
> regular expressions matching whole subnets! :)
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 19/12/16 20:41, Marat Khalili wrote:
>
>> Are you suggesting to put the IP address with the DNS prefix instead of
>>> the proper IP prefix?
>>>
>> Actually, I was not aware of official possibility of having an IP address
>> in subjectAltName until 5 minutes ago :) But since Apache developers also
>> didn't provide for this, using DNS prefix is definitely an option.
>>
>> Also what about the possibility of having a variable number of addresses
>>> there?
>>>
>> Provided you are not going to have too many SANs, quick and dirty
>> solution would be:
>>
>>> Require expr "%{REMOTE_ADDR} =~ /^(%{SSL_CLIENT_SAN_DNS_1}|%{S
>>> SL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_
>>> SAN_DNS_4}|...)$/"
>>>
>> (Missing variables will expand to empty strings). I hope I know it's
>> ugly as hell, but so are client certificates with multiple IP address
>> aliases.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>> For additional commands, e-mail: users-h...@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>
