Trying to compare client-cert pem-file to %{SSL_CLIENT_CERT}

Trying to compare client-cert pem-file to %{SSL_CLIENT_CERT}

am 15.02.2010 09:09:25 von Christoph Schmidt

--_000_F03912326135044EBAEB11CC7E3F84D8A58DE9DF8FAUCKLANDubi gr_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Dear subscribers!

For a custom update site, we want to binary-check the (self-signed) certifi=
cates sent by our client applications against a physical copy of the certif=
icate residing on our server. (Standard matching rules are deployed and wor=
king, but considered "not enough".) The rules per application reside inside=
an .htaccess file per directory associated with the solution.
The problem is that the comparison

SSLRequire ( %{SSL_CLIENT_CERT} == file("/pathto/solutionIDxyzabc/CERT.=
pem") )

always fails ("[info] Failed expression:"). Loading the certificate into a =
fresh environment variable doesn't improve the situation, neither does hold=
ing the pem-encoded certificate data directly inside the rule. When I outpu=
t $_Server['SSL_CLIENT_CERT'] and the variable holding the reference certif=
icate via php, I get seemingly identical outputs. I think, tho, that the di=
fferences are in the realm of the non-printable characters of the client c=
ertificate, like trailing spaces or line breaks, which can't be analyzed wi=
th php in the middle. Unfortunately, the rule can't be debugged so well in =
context, because of a lack of print statements in the configuration context=
.. LogLevel debug states nothing more than that the rule given above failed =
to yield 'true'.

I checked the first couple dozen hits for "'SSL_CLIENT_CERT'" on Google, bu=
t all of them are either occurrences of the default configuration file (exp=
laining that ExportCertData generates the input for SSL_CLIENT_CERT and SSL=
_SERVER_CERT) or concerned with handing the certificate through a proxy to =
a backend server, which doesn't apply to my situation. The mailing list arc=
hive didn't seem to have a matching problem either (and encumbers the searc=
h by removing the _'s from SSL_CLIENT_CERT' :P).

I would be grateful for any pointers towards how to implement this rule or =
a specification as to how SSL_CLIENT_CERT is formatted (i.e. how the refere=
nce file/data should look).

The versions used:
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# apache2 -v
Server version: Apache/2.2.8 (Ubuntu)
Server built: Jun 18 2009 08:45:39
Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_jk/1.2.25 mod_python/3.3.1 Python=
/2.5.2 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g=
mod_perl/2.0.3 Perl/v5.8.8 Server at * Port 443

Many thanks in advance!

Best regards,

--Christoph Schmidt

--_000_F03912326135044EBAEB11CC7E3F84D8A58DE9DF8FAUCKLANDubi gr_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">












Dear subscribers!=



 



For a custom update site, we want t=
o binary-check
the (self-signed) certificates sent by our client applications against a
physical copy of the certificate residing on our server. (Standard matching
rules are deployed and working, but considered “not enough”.) T=
he rules
per application reside inside an .htaccess file per directory associated wi=
th
the solution.



The problem is that the comparison =



 



SSLRequire ( %{SSL_CLIENT_CERT} =3D=
=3D
file("/pathto/solutionIDxyzabc/CERT.pem") )



 



always fails (“[info] Failed
expression:”). Loading the certificate into a fresh environment varia=
ble
doesn’t improve the situation, neither does holding the pem-encoded
certificate data directly inside the rule. When I output $_Server[‘SS=
L_CLIENT_CERT’]
and the variable holding the reference certificate via php, I get seemingly=
identical
outputs. I think, tho, that the differences are in the realm of the
non-printable characters of  the client certificate, like trailing spa=
ces
or line breaks, which can’t be analyzed with php in the middle. Unfor=
tunately,
the rule can’t be debugged so well in context, because of a lack of p=
rint
statements in the configuration context. LogLevel debug states nothing more
than that the rule given above failed to yield ‘true’. p>



 



I checked the first couple dozen hi=
ts for “’SSL_CLIENT_CERT’”
on Google, but all of them are either occurrences of the default configurat=
ion
file (explaining that ExportCertData generates the input for SSL_CLIENT_CER=
T
and SSL_SERVER_CERT) or concerned with handing the certificate through a pr=
oxy
to a backend server, which doesn’t apply to my situation. The mailing
list archive didn’t seem to have a matching problem either (and encum=
bers
the search by removing the _’s from SSL_CLIENT_CERT’ :P).<=
/o:p>



 



I would be grateful for any pointer=
s
towards how to implement this rule or a specification as to how SSL_CLIENT_=
CERT
is formatted (i.e. how the reference file/data should look). an>



 



The versions used: >



# openssl version=



OpenSSL 0.9.8g 19 Oct 2007 p>



# apache2 -v



Server version: Apache/2.2.8 (Ubunt=
u)



Server built:   Jun 18 20=
09
08:45:39



Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4=
..6
mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.6 with
Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Serve=
r at
* Port 443



 



Many thanks in advance!<=
/span>



 



Best regards,



 



--Christoph Schmidt n>









--_000_F03912326135044EBAEB11CC7E3F84D8A58DE9DF8FAUCKLANDubi gr_--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org