Bookmarks

Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

www.xxxcon, which comes first ob_start or session, wwwxxx/58/2010, xxxxdup, xxxxdup, mailx informatii, should producers of software-based services, such as atms, be held liable for economic injuries suffered when their systems fail?, mysql feiertage, bash netcat eof, 192.168.1.41:8000

Links

XODOX
Impressum

#1: SSLRequire on OID extension DER encoded field value

Posted on 2010-05-10 17:02:12 by Lionel Falise

hey guys,
I hope you're all doing fine. I need a little support here on ssl client
verification, tell me please if this is not the right place.=20

I need to check for specific extensions field value from x509 client
certificates to grant access to defined users.=20

I read this could be possible using oid() or peerextlist() functions.=20

I had to determine the field oid using openssl java package, and I'm
trying to debug the sslrequire check using setenfiv module SSI+perl
printenv.pl (maybe there is a better way to do this?).=20

So, my problem is I can't seem to find a way to validate my client based
on this field.=20

I was wondering if first: this should work? second: if extension value
is der encoded would apache be able to handle this check and how would I
store the granted values.=20

I'm using apache 2.2.9. Let me know if you need some more detailed info
on this, I can handle the certificate or my entire configuration file if
needed.

This is what I ended up trying and results:

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars=20

SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server-private.key=20

LogLevel debug
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /ssl/clients/ca.crt

<Location />
SetenvIf OID("2.5.4.5") "(.*)" OIDTEST=3D$1
SSLRequire "400023144340" in OID("2.5.4.5")
</Location>=09


[Mon May 10 15:59:43 2010] [info] Access to cgi-bin/printenv.pl denied
for 127.0.0.1 (requirement expression not fulfilled)=20
[Mon May 10 15:59:43 2010] [info] Failed expression: "400023144340" in
OID("2.5.4.5")

Output if bypassing the sslrequire directive (this should return the oid
matching field value, right?):
OIDTEST=3D""

Thanks in advance for your help.
Lionel
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Report this message