SSLRequire, client certs and dynamic IP addresses

SSLRequire, client certs and dynamic IP addresses

am 06.05.2008 17:02:55 von frederique_daluene

Hello,

We are trying to set up mod_ssl to get some "proper"
access to two classes of users.=20

First, everybody must use client certs (signed by our
CA). Client cert control is okay and works properly
(SSLVerifyClient require, SSLVerifyDepth 1 and such).

Now, we have two classes of client certs, based on the
OU. Say, OU=3D"Class 1" and OU=3D"Class 2". We want to
allow :
- all users with "Class 1" certificates, and
- users with "Class 2" certs ONLY when they are
browsing from some IP addresses.

Those IP addresses are not known in advance, and may
be dynamic. Let's say we have an external list
(updated by some mean, irrelevant to our problem). How
can we check this list and correlate it with the OU
from the client cert ? We thought that something like

SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1"
or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2"
and %{REMOTE_ADDR} in { file("/tmp/list") } )

(where /tmp/list is a list of allowed IP addresses)
would be the way to go, but this utterly fails.
Mod_ssl properly opens the file (strace shows that),
but even when the browser is coming from an IP in the
list, no access is granted.

Is this a problem coming from the file's content
(syntax ?), or are we wrong in our thinking ? And
then, what would be the way to go ?

Tia,
-- FdL

__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection pos=
sible contre les messages non sollicit=E9s=20
http://mail.yahoo.fr Yahoo! Mail=20
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: SSLRequire, client certs and dynamic IP addresses

am 07.05.2008 17:22:04 von Joe Orton

On Tue, May 06, 2008 at 05:02:55PM +0200, Frédérique Da Luene w=
rote:
> Hello,
>=20
> We are trying to set up mod_ssl to get some "proper"
> access to two classes of users.=20
>=20
> First, everybody must use client certs (signed by our
> CA). Client cert control is okay and works properly
> (SSLVerifyClient require, SSLVerifyDepth 1 and such).
>=20
> Now, we have two classes of client certs, based on the
> OU. Say, OU=3D"Class 1" and OU=3D"Class 2". We want to
> allow :
> - all users with "Class 1" certificates, and
> - users with "Class 2" certs ONLY when they are
> browsing from some IP addresses.
>=20
> Those IP addresses are not known in advance, and may
> be dynamic. Let's say we have an external list
> (updated by some mean, irrelevant to our problem). How
> can we check this list and correlate it with the OU
> from the client cert ? We thought that something like
>=20
> SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1"
> or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2"
> and %{REMOTE_ADDR} in { file("/tmp/list") } )
>=20
> (where /tmp/list is a list of allowed IP addresses)
> would be the way to go, but this utterly fails.

From looking at the code, I don't think that would work as you expect.

If /tmp/list contained "addr1 addr2 addr3", it would be equivalent to

and %{REMOTE_ADDR} in { "addr1 addr2 addr3" }

i.e. a direct match against the entire file contents, not

and %{REMOTE_ADDR} in { "addr", "addr2", "addr3" }

which is what you'd need. =20

It might be possible to express this requirement using some combination=20
of Require/Satisfy, or failing that, mod_rewrite; I'd recommend asking=20
on the httpd users' list instead:

http://httpd.apache.org/lists.html#http-users

if nothing works out you could file a bug, it might be possible to=20
enhance mod_ssl to make this work somehow.

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org