Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

udp high ports, d-link extract firmware dsl-2750u, wwwwxxxxx.2G, yxxxcom, WWWXXX,, wwwxxx 100, www.xxxcon, wwwxxx, oom killer misbehaves postgresql



#1: SSLRequire on OID extension DER encoded field value

Posted on 2010-05-10 17:02:12 by Lionel Falise

hey guys,
I hope you're all doing fine. I need a little support here on ssl client
verification, tell me please if this is not the right place.=20

I need to check for specific extensions field value from x509 client
certificates to grant access to defined users.=20

I read this could be possible using oid() or peerextlist() functions.=20

I had to determine the field oid using openssl java package, and I'm
trying to debug the sslrequire check using setenfiv module SSI+perl (maybe there is a better way to do this?).=20

So, my problem is I can't seem to find a way to validate my client based
on this field.=20

I was wondering if first: this should work? second: if extension value
is der encoded would apache be able to handle this check and how would I
store the granted values.=20

I'm using apache 2.2.9. Let me know if you need some more detailed info
on this, I can handle the certificate or my entire configuration file if

This is what I ended up trying and results:

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars=20

SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server-private.key=20

LogLevel debug
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /ssl/clients/ca.crt

<Location />
SetenvIf OID("") "(.*)" OIDTEST=3D$1
SSLRequire "400023144340" in OID("")

[Mon May 10 15:59:43 2010] [info] Access to cgi-bin/ denied
for (requirement expression not fulfilled)=20
[Mon May 10 15:59:43 2010] [info] Failed expression: "400023144340" in

Output if bypassing the sslrequire directive (this should return the oid
matching field value, right?):

Thanks in advance for your help.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl)
User Support Mailing List
Automated List Manager

Report this message