You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Andrei Ivanov <an...@gmail.com> on 2016/12/15 10:46:25 UTC
[users@httpd] SSL_CLIENT_SAN IP addr validation
Hi,
I'm trying to validate incoming requests by comparing the request IP to the
IP addresses provided in the client certificate subjectAltName.
Searching around, I found
http://wiki.cacert.org/ApacheServerClientCertificateAuthentication, which
gives an example using the email address:
SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or
%{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or
%{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or
%{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
But there 2 problems:
1. the IP addresses are not exported as a variables by mod_ssl (see
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
2. The number of IP addresses is variable, not sure how I could do the
check with an expression
The Apache Httpd is a frontend for a PHP and a Python application, so it
would be nice to be able to do this filtering in one place instead of doing
it at the applications level.
Any suggestions?
Thank you.
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Pacicin Chiaricurri <pa...@gmail.com>.
Salam,
Are you related to Nabila Khalili by chance??
On Dec 19, 2016 10:41 AM, "Marat Khalili" <mk...@rqc.ru> wrote:
> Docs suggest
> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
> Require expr in place of SSLRequire. Require expr supports such variables
> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense
> in issuing or verifying certificates with IP address in subjectAltName.
>
> What you probably want is accepting clients belonging to particular group.
> Issue them certificates with the same organizational unit and verify
> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
> --
>
> With Best Regards,
> Marat Khalili
>
> On 15/12/16 13:46, Andrei Ivanov wrote:
>
> Hi,
> I'm trying to validate incoming requests by comparing the request IP to
> the IP addresses provided in the client certificate subjectAltName.
>
> Searching around, I found http://wiki.cacert.org/
> ApacheServerClientCertificateAuthentication, which gives an example using
> the email address:
>
> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>
>
> But there 2 problems:
> 1. the IP addresses are not exported as a variables by mod_ssl (see
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
> 2. The number of IP addresses is variable, not sure how I could do the
> check with an expression
>
> The Apache Httpd is a frontend for a PHP and a Python application, so it
> would be nice to be able to do this filtering in one place instead of doing
> it at the applications level.
>
> Any suggestions?
>
> Thank you.
>
>
>
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Andrei Ivanov <an...@gmail.com>.
I think the nicest way would be like mod_ssl does with PeerExtList:
Example
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
So at least it's nice to know Apache Httpd already does this in some cases.
I guess I'll update my ticket, or maybe create a new one for all
the subjectAltName variables.
Thanks for the help.
On Mon, Dec 19, 2016 at 7:48 PM, Marat Khalili <mk...@rqc.ru> wrote:
> As additional benefit, when you will be able to issue certificates with
> regular expressions matching whole subnets! :)
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> On 19/12/16 20:41, Marat Khalili wrote:
>
>> Are you suggesting to put the IP address with the DNS prefix instead of
>>> the proper IP prefix?
>>>
>> Actually, I was not aware of official possibility of having an IP address
>> in subjectAltName until 5 minutes ago :) But since Apache developers also
>> didn't provide for this, using DNS prefix is definitely an option.
>>
>> Also what about the possibility of having a variable number of addresses
>>> there?
>>>
>> Provided you are not going to have too many SANs, quick and dirty
>> solution would be:
>>
>>> Require expr "%{REMOTE_ADDR} =~ /^(%{SSL_CLIENT_SAN_DNS_1}|%{S
>>> SL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_
>>> SAN_DNS_4}|...)$/"
>>>
>> (Missing variables will expand to empty strings). I hope I know it's
>> ugly as hell, but so are client certificates with multiple IP address
>> aliases.
>>
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Marat Khalili <mk...@rqc.ru>.
As additional benefit, when you will be able to issue certificates with
regular expressions matching whole subnets! :)
--
With Best Regards,
Marat Khalili
On 19/12/16 20:41, Marat Khalili wrote:
>> Are you suggesting to put the IP address with the DNS prefix instead
>> of the proper IP prefix?
> Actually, I was not aware of official possibility of having an IP
> address in subjectAltName until 5 minutes ago :) But since Apache
> developers also didn't provide for this, using DNS prefix is
> definitely an option.
>
>> Also what about the possibility of having a variable number of
>> addresses there?
> Provided you are not going to have too many SANs, quick and dirty
> solution would be:
>> Require expr "%{REMOTE_ADDR} =~
>> /^(%{SSL_CLIENT_SAN_DNS_1}|%{SSL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_SAN_DNS_4}|...)$/"
> (Missing variables will expand to empty strings). I hope I know it's
> ugly as hell, but so are client certificates with multiple IP address
> aliases.
>
> --
>
> With Best Regards,
> Marat Khalili
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Marat Khalili <mk...@rqc.ru>.
> Are you suggesting to put the IP address with the DNS prefix instead
> of the proper IP prefix?
Actually, I was not aware of official possibility of having an IP
address in subjectAltName until 5 minutes ago :) But since Apache
developers also didn't provide for this, using DNS prefix is definitely
an option.
> Also what about the possibility of having a variable number of
> addresses there?
Provided you are not going to have too many SANs, quick and dirty
solution would be:
> Require expr "%{REMOTE_ADDR} =~
> /^(%{SSL_CLIENT_SAN_DNS_1}|%{SSL_CLIENT_SAN_DNS_2}|%{SSL_CLIENT_SAN_DNS_3}|%{SSL_CLIENT_SAN_DNS_4}|...)$/"
(Missing variables will expand to empty strings). I hope I know it's
ugly as hell, but so are client certificates with multiple IP address
aliases.
--
With Best Regards,
Marat Khalili
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Andrei Ivanov <an...@gmail.com>.
Hmm,
Are you suggesting to put the IP address with the DNS prefix instead of the
proper IP prefix?
Also what about the possibility of having a variable number of addresses
there?
It would have been nice to have something like "%{REMOTE_ADDR} in %{
SSL_CLIENT_SAN_IPaddrs}",
where SSL_CLIENT_SAN_IPaddrs would be an array with the addresses and 'in'
would be the 'array contains' operator.
On Mon, Dec 19, 2016 at 6:09 PM, Marat Khalili <mk...@rqc.ru> wrote:
> If you really put IP address in domain subjectAltName and want to verify
> it, I suppose expression should be something like this:
>
> Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}"
>
>
> --
>
> With Best Regards,
> Marat Khalili
>
> On 19/12/16 18:48, Andrei Ivanov wrote:
>
> Hi,
> Yes, I did notice the suggestion of using Require expr, the problem is
> that I don't know what expression I could use, with the details explained
> bellow.
>
> Anyway to do this without a variable containing the subjectAltName IP
> address?
>
> Regarding if this actually makes sense or not is a different story, as
> this was decided by other people... :-)
>
>
> On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <mk...@rqc.ru> wrote:
>
>> Docs suggest
>> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
>> Require expr in place of SSLRequire. Require expr supports such variables
>> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense
>> in issuing or verifying certificates with IP address in subjectAltName.
>>
>> What you probably want is accepting clients belonging to particular
>> group. Issue them certificates with the same organizational unit and verify
>> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
>> --
>>
>> With Best Regards,
>> Marat Khalili
>>
>> On 15/12/16 13:46, Andrei Ivanov wrote:
>>
>> Hi,
>> I'm trying to validate incoming requests by comparing the request IP to
>> the IP addresses provided in the client certificate subjectAltName.
>>
>> Searching around, I found
>> <http://wiki.cacert.org/ApacheServerClientCertificateAuthentication>
>> http://wiki.cacert.org/ApacheServerClientCertificateAuthentication,
>> which gives an example using the email address:
>>
>> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>>
>>
>> But there 2 problems:
>> 1. the IP addresses are not exported as a variables by mod_ssl (see
>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=60456>
>> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
>> 2. The number of IP addresses is variable, not sure how I could do the
>> check with an expression
>>
>> The Apache Httpd is a frontend for a PHP and a Python application, so it
>> would be nice to be able to do this filtering in one place instead of doing
>> it at the applications level.
>>
>> Any suggestions?
>>
>> Thank you.
>>
>>
>>
>
>
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Marat Khalili <mk...@rqc.ru>.
If you really put IP address in domain subjectAltName and want to verify
it, I suppose expression should be something like this:
> Require expr "%{SSL_CLIENT_SAN_DNS_1} == %{REMOTE_ADDR}"
--
With Best Regards,
Marat Khalili
On 19/12/16 18:48, Andrei Ivanov wrote:
> Hi,
> Yes, I did notice the suggestion of using Require expr, the problem is
> that I don't know what expression I could use, with the details
> explained bellow.
>
> Anyway to do this without a variable containing the subjectAltName IP
> address?
>
> Regarding if this actually makes sense or not is a different story, as
> this was decided by other people... :-)
>
>
> On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <mkh@rqc.ru
> <ma...@rqc.ru>> wrote:
>
> Docs suggest
> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire>
> using Require expr in place of SSLRequire. Require expr supports
> such variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I
> do not see much sense in issuing or verifying certificates with IP
> address in subjectAltName.
>
> What you probably want is accepting clients belonging to
> particular group. Issue them certificates with the same
> organizational unit and verify SSL_CLIENT_S_DN_OU as well as
> SSL_CLIENT_S_DN_O.
>
> --
>
> With Best Regards,
> Marat Khalili
>
> On 15/12/16 13:46, Andrei Ivanov wrote:
>> Hi,
>> I'm trying to validate incoming requests by comparing the request
>> IP to the IP addresses provided in the client certificate
>> subjectAltName.
>>
>> Searching around, I found
>> http://wiki.cacert.org/ApacheServerClientCertificateAuthentication
>> <http://wiki.cacert.org/ApacheServerClientCertificateAuthentication>,
>> which gives an example using the email address:
>> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
>> or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
>> or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
>> or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
>> or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>>
>> But there 2 problems:
>> 1. the IP addresses are not exported as a variables by mod_ssl
>> (see https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
>> <https://bz.apache.org/bugzilla/show_bug.cgi?id=60456>)
>> 2. The number of IP addresses is variable, not sure how I could
>> do the check with an expression
>>
>> The Apache Httpd is a frontend for a PHP and a Python
>> application, so it would be nice to be able to do this filtering
>> in one place instead of doing it at the applications level.
>>
>> Any suggestions?
>>
>> Thank you.
>
>
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Andrei Ivanov <an...@gmail.com>.
Hi,
Yes, I did notice the suggestion of using Require expr, the problem is that
I don't know what expression I could use, with the details explained bellow.
Anyway to do this without a variable containing the subjectAltName IP
address?
Regarding if this actually makes sense or not is a different story, as this
was decided by other people... :-)
On Mon, Dec 19, 2016 at 5:41 PM, Marat Khalili <mk...@rqc.ru> wrote:
> Docs suggest
> <https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
> Require expr in place of SSLRequire. Require expr supports such variables
> as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see much sense
> in issuing or verifying certificates with IP address in subjectAltName.
>
> What you probably want is accepting clients belonging to particular group.
> Issue them certificates with the same organizational unit and verify
> SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
> --
>
> With Best Regards,
> Marat Khalili
>
> On 15/12/16 13:46, Andrei Ivanov wrote:
>
> Hi,
> I'm trying to validate incoming requests by comparing the request IP to
> the IP addresses provided in the client certificate subjectAltName.
>
> Searching around, I found http://wiki.cacert.org/
> ApacheServerClientCertificateAuthentication, which gives an example using
> the email address:
>
> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>
>
> But there 2 problems:
> 1. the IP addresses are not exported as a variables by mod_ssl (see
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
> 2. The number of IP addresses is variable, not sure how I could do the
> check with an expression
>
> The Apache Httpd is a frontend for a PHP and a Python application, so it
> would be nice to be able to do this filtering in one place instead of doing
> it at the applications level.
>
> Any suggestions?
>
> Thank you.
>
>
>
Re: [users@httpd] SSL_CLIENT_SAN IP addr validation
Posted by Marat Khalili <mk...@rqc.ru>.
Docs suggest
<https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslrequire> using
Require expr in place of SSLRequire. Require expr supports such
variables as REMOTE_ADDR and CONN_REMOTE_ADDR. In any case, I do not see
much sense in issuing or verifying certificates with IP address in
subjectAltName.
What you probably want is accepting clients belonging to particular
group. Issue them certificates with the same organizational unit and
verify SSL_CLIENT_S_DN_OU as well as SSL_CLIENT_S_DN_O.
--
With Best Regards,
Marat Khalili
On 15/12/16 13:46, Andrei Ivanov wrote:
> Hi,
> I'm trying to validate incoming requests by comparing the request IP
> to the IP addresses provided in the client certificate subjectAltName.
>
> Searching around, I found
> http://wiki.cacert.org/ApacheServerClientCertificateAuthentication,
> which gives an example using the email address:
> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/
> or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/
> or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/
> or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/
> or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>
> But there 2 problems:
> 1. the IP addresses are not exported as a variables by mod_ssl (see
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
> 2. The number of IP addresses is variable, not sure how I could do the
> check with an expression
>
> The Apache Httpd is a frontend for a PHP and a Python application, so
> it would be nice to be able to do this filtering in one place instead
> of doing it at the applications level.
>
> Any suggestions?
>
> Thank you.
[users@httpd] Re: SSL_CLIENT_SAN IP addr validation
Posted by Andrei Ivanov <an...@gmail.com>.
Anybody? :-/
On Thu, Dec 15, 2016 at 12:46 PM, Andrei Ivanov <an...@gmail.com>
wrote:
> Hi,
> I'm trying to validate incoming requests by comparing the request IP to
> the IP addresses provided in the client certificate subjectAltName.
>
> Searching around, I found http://wiki.cacert.org/
> ApacheServerClientCertificateAuthentication, which gives an example using
> the email address:
>
> SSLRequire %{SSL_CLIENT_S_DN_Email} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_0} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_1} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_2} =~ m/^[^@]*@example\.com$/ or %{SSL_CLIENT_S_DN_Email_3} =~ m/^[^@]*@example\.com$/
>
> But there 2 problems:
> 1. the IP addresses are not exported as a variables by mod_ssl (see
> https://bz.apache.org/bugzilla/show_bug.cgi?id=60456)
> 2. The number of IP addresses is variable, not sure how I could do the
> check with an expression
>
> The Apache Httpd is a frontend for a PHP and a Python application, so it
> would be nice to be able to do this filtering in one place instead of doing
> it at the applications level.
>
> Any suggestions?
>
> Thank you.
>