Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot

Links

XODOX
Impressum

#1: SSLRequire on OID extension DER encoded field value

Posted on 2010-05-10 17:02:12 by Lionel Falise

hey guys,
I hope you're all doing fine. I need a little support here on ssl client
verification, tell me please if this is not the right place.=20

I need to check for specific extensions field value from x509 client
certificates to grant access to defined users.=20

I read this could be possible using oid() or peerextlist() functions.=20

I had to determine the field oid using openssl java package, and I'm
trying to debug the sslrequire check using setenfiv module SSI+perl
printenv.pl (maybe there is a better way to do this?).=20

So, my problem is I can't seem to find a way to validate my client based
on this field.=20

I was wondering if first: this should work? second: if extension value
is der encoded would apache be able to handle this check and how would I
store the granted values.=20

I'm using apache 2.2.9. Let me know if you need some more detailed info
on this, I can handle the certificate or my entire configuration file if
needed.

This is what I ended up trying and results:

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars=20

SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server-private.key=20

LogLevel debug
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /ssl/clients/ca.crt

<Location />
SetenvIf OID("2.5.4.5") "(.*)" OIDTEST=3D$1
SSLRequire "400023144340" in OID("2.5.4.5")
</Location>=09


[Mon May 10 15:59:43 2010] [info] Access to cgi-bin/printenv.pl denied
for 127.0.0.1 (requirement expression not fulfilled)=20
[Mon May 10 15:59:43 2010] [info] Failed expression: "400023144340" in
OID("2.5.4.5")

Output if bypassing the sslrequire directive (this should return the oid
matching field value, right?):
OIDTEST=3D""

Thanks in advance for your help.
Lionel
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message