You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2016/12/08 15:44:58 UTC

[Bug 60456] New: export SSL_CLIENT_SAN_IPaddr variable

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

            Bug ID: 60456
           Summary: export SSL_CLIENT_SAN_IPaddr variable
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: bugs@httpd.apache.org
          Reporter: andrei.ivanov@gmail.com
  Target Milestone: ---

Hello,
Trying to implement mutual authentication with IP matching, I noticed that
mod_ssl doesn't export the client SAN IP.

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?revision=1750840&view=markup#l1076

Please add SSL_CLIENT_SAN_IPaddr.

Thank you

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #4 from abbotttodd@netscape.net ---
Another user requesting this.  If devs are looking for justification then I
create certificates for my machines with SAN with both DNS and IPAddr for my
internal machines.  I use an internal private CA for both servers and clients.

I use the DNS for testing tools like postman, curl, etc... but we use the
IPAddr for most other configurations and tools.  We would like the SAN IPAddr
exposed so that we may verify it in the SSLRequire against the REMOTE_ADDR.  I
would like to verify that the certificate is from that remote host and not
another host as an additional check that the certificate was not somehow copied
from the server and moved to another server like vm cloned accidentally or
maliciously.

Hostnames are not available on our servers to verify so DNS is not useful at
this layer.  While everything is spoofable this is just another mitigation.  
Also since we are using apache as a proxy much of the SSL information is not
forwarded to the application for additional verification.

I'd be happy with just SSL_CLIENT_SAN_IPADDR_# or similar but the list would
also be nice.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #6 from Andrei Ivanov <an...@gmail.com> ---
Btw, my main problem, the filtering, was solved with the help of a patch from
Yann Ylavic, pending inclusion:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201707.mbox/%3CCAKQ1sVMZeDOLh62hE%2Bsrb92EgEWANjaoFkhOx5bD%3Dy4sG91wRg%40mail.gmail.com%3E

I still think it would be nice to have the SAN IP exposed as the rest of the
variables.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

Szőgyényi Gábor <sz...@freemail.hu> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |szg0000@freemail.hu

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

Andrei Ivanov <an...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Andrei Ivanov <an...@gmail.com> ---
An even better fix would be to (also) have SSL_CLIENT_SAN_IPaddrs (note the
plural) as a list, to allow an expression like this:

"%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddrs}"

Without the list, I don't see how an expression like this can be properly
written.

This is inspired from PeerExtList:
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #5 from abbotttodd@netscape.net ---
Created attachment 35204
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35204&action=edit
Proposed Patch for SAN IP

Proposed Patch for getting ipaddr from SSL client cert

Proxy config might look like:
SSLRequire ( %{REMOTE_ADDR} in { %{SSL_CLIENT_SAN_IP_0},
%{SSL_CLIENT_SAN_IP_1}, %{SSL_CLIENT_SAN_IP_2} } )

It basically clones the ip address print statement from openssl slightly
altered as I could not see how to get openssl to do the formatting.  It
generates IPv6 with lower case which is in line with what I saw with
REMOTE_ADDR.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #2 from Andrei Ivanov <an...@gmail.com> ---
Any thoughts?

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #3 from Andrei Ivanov <an...@gmail.com> ---
Anybody? :-(

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org