You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/02/15 21:16:55 UTC
[Bug 65143] New: Hostname check on client certificate is not done,
at least client ip should be checked in SSL_CLIENT_SAN_DNS_n
https://bz.apache.org/bugzilla/show_bug.cgi?id=65143
Bug ID: 65143
Summary: Hostname check on client certificate is not done, at
least client ip should be checked in
SSL_CLIENT_SAN_DNS_n
Product: Apache httpd-2
Version: 2.4-HEAD
Hardware: PC
OS: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_ssl
Assignee: bugs@httpd.apache.org
Reporter: smdqsm@gmail.com
Target Milestone: ---
Currently the SSL_CLIENT_VERIFY directive only verifies the the validity of the
certificate and not the hostname as it does in case of server certificate.
But can we introduce that if cert has IP address in SSL_CLIENT_SAN_DNS_n then
the clients IP address is checked in at least SSL_CLIENT_SAN_DNS_n. That way we
know the client is the real client and sort of ip whitelisting is acheived.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
[Bug 65143] Hostname check on client certificate is not done, at least client ip should be checked in SSL_CLIENT_SAN_DNS_n
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65143
Joe Orton <jo...@redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
--- Comment #1 from Joe Orton <jo...@redhat.com> ---
There is no standardisation of client certificate issuance which requires such
SANs to be present (at least that I'm aware of). If you impose such a policy on
certs you issue, you should be able to implement an authn rule with Require and
the %{SSL:...} env var lookups.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org