|
»
»
»
SSLRequire, client certs and dynamic IP addresses
|
View:
New views
2 Messages
—
Rating Filter:
Alert me
|
 |
SSLRequire, client certs and dynamic IP addresses
by Frédérique Da Luene
::
Rate this Message:
Hello,
We are trying to set up mod_ssl to get some "proper" access to two classes of users. First, everybody must use client certs (signed by our CA). Client cert control is okay and works properly (SSLVerifyClient require, SSLVerifyDepth 1 and such). Now, we have two classes of client certs, based on the OU. Say, OU="Class 1" and OU="Class 2". We want to allow : - all users with "Class 1" certificates, and - users with "Class 2" certs ONLY when they are browsing from some IP addresses. Those IP addresses are not known in advance, and may be dynamic. Let's say we have an external list (updated by some mean, irrelevant to our problem). How can we check this list and correlate it with the OU from the client cert ? We thought that something like SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1" or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2" and %{REMOTE_ADDR} in { file("/tmp/list") } ) (where /tmp/list is a list of allowed IP addresses) would be the way to go, but this utterly fails. Mod_ssl properly opens the file (strace shows that), but even when the browser is coming from an IP in the list, no access is granted. Is this a problem coming from the file's content (syntax ?), or are we wrong in our thinking ? And then, what would be the way to go ? Tia, -- FdL __________________________________________________ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
|
|
Re: SSLRequire, client certs and dynamic IP addresses
by Joe Orton
::
Rate this Message:
On Tue, May 06, 2008 at 05:02:55PM +0200, Frédérique Da Luene wrote:
> Hello, > > We are trying to set up mod_ssl to get some "proper" > access to two classes of users. > > First, everybody must use client certs (signed by our > CA). Client cert control is okay and works properly > (SSLVerifyClient require, SSLVerifyDepth 1 and such). > > Now, we have two classes of client certs, based on the > OU. Say, OU="Class 1" and OU="Class 2". We want to > allow : > - all users with "Class 1" certificates, and > - users with "Class 2" certs ONLY when they are > browsing from some IP addresses. > > Those IP addresses are not known in advance, and may > be dynamic. Let's say we have an external list > (updated by some mean, irrelevant to our problem). How > can we check this list and correlate it with the OU > from the client cert ? We thought that something like > > SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1" > or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2" > and %{REMOTE_ADDR} in { file("/tmp/list") } ) > > (where /tmp/list is a list of allowed IP addresses) > would be the way to go, but this utterly fails. From looking at the code, I don't think that would work as you expect. If /tmp/list contained "addr1 addr2 addr3", it would be equivalent to and %{REMOTE_ADDR} in { "addr1 addr2 addr3" } i.e. a direct match against the entire file contents, not and %{REMOTE_ADDR} in { "addr", "addr2", "addr3" } which is what you'd need. It might be possible to express this requirement using some combination of Require/Satisfy, or failing that, mod_rewrite; I'd recommend asking on the httpd users' list instead: http://httpd.apache.org/lists.html#http-users if nothing works out you could file a bug, it might be possible to enhance mod_ssl to make this work somehow. joe ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@... Automated List Manager majordomo@... |
| Free Forum Powered by Nabble | Forum Help |