Yahoo Gmail Google Facebook Delicious Twitter Reddit Stumpleupon Myspace Digg

Search queries

sqldatasource dal, wwwxxxenden, convert raid5 to raid 10 mdadm, apache force chunked, nrao wwwxxx, xxxxxdup, procmail change subject header, wwwXxx not20, Wwwxxx.doks sas, linux raid resync after reboot



#1: SSLRequire on OID extension DER encoded field value

Posted on 2010-05-10 17:02:12 by Lionel Falise

hey guys,
I hope you're all doing fine. I need a little support here on ssl client
verification, tell me please if this is not the right place.=20

I need to check for specific extensions field value from x509 client
certificates to grant access to defined users.=20

I read this could be possible using oid() or peerextlist() functions.=20

I had to determine the field oid using openssl java package, and I'm
trying to debug the sslrequire check using setenfiv module SSI+perl (maybe there is a better way to do this?).=20

So, my problem is I can't seem to find a way to validate my client based
on this field.=20

I was wondering if first: this should work? second: if extension value
is der encoded would apache be able to handle this check and how would I
store the granted values.=20

I'm using apache 2.2.9. Let me know if you need some more detailed info
on this, I can handle the certificate or my entire configuration file if

This is what I ended up trying and results:

SSLEngine on
SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire +StdEnvVars=20

SSLCertificateFile ssl/server.crt
SSLCertificateKeyFile ssl/server-private.key=20

LogLevel debug
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile /ssl/clients/ca.crt

<Location />
SetenvIf OID("") "(.*)" OIDTEST=3D$1
SSLRequire "400023144340" in OID("")

[Mon May 10 15:59:43 2010] [info] Access to cgi-bin/ denied
for (requirement expression not fulfilled)=20
[Mon May 10 15:59:43 2010] [info] Failed expression: "400023144340" in

Output if bypassing the sslrequire directive (this should return the oid
matching field value, right?):

Thanks in advance for your help.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl)
User Support Mailing List
Automated List Manager

Report this message