You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2021/02/15 21:16:55 UTC

[Bug 65143] New: Hostname check on client certificate is not done, at least client ip should be checked in SSL_CLIENT_SAN_DNS_n

https://bz.apache.org/bugzilla/show_bug.cgi?id=65143

            Bug ID: 65143
           Summary: Hostname check on client certificate is not done, at
                    least client ip should be checked in
                    SSL_CLIENT_SAN_DNS_n
           Product: Apache httpd-2
           Version: 2.4-HEAD
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: smdqsm@gmail.com
  Target Milestone: ---

Currently the SSL_CLIENT_VERIFY directive only verifies the the validity of the
certificate and not the hostname as it does in case of server certificate.
But can we introduce that if cert has IP address in  SSL_CLIENT_SAN_DNS_n then
the clients IP address is checked in at least SSL_CLIENT_SAN_DNS_n. That way we
know the client is the real client and sort of ip whitelisting is acheived.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 65143] Hostname check on client certificate is not done, at least client ip should be checked in SSL_CLIENT_SAN_DNS_n

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65143

Joe Orton <jo...@redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Joe Orton <jo...@redhat.com> ---
There is no standardisation of client certificate issuance which requires such
SANs to be present (at least that I'm aware of). If you impose such a policy on
certs you issue, you should be able to implement an authn rule with Require and
the %{SSL:...} env var lookups.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org