Re: SSLRequire, client certs and dynamic IP addresses

On Tue, May 06, 2008 at 05:02:55PM +0200, Frédérique Da Luene wrote:
> Hello,
>
> We are trying to set up mod_ssl to get some "proper"
> access to two classes of users.
>
> First, everybody must use client certs (signed by our
> CA). Client cert control is okay and works properly
> (SSLVerifyClient require, SSLVerifyDepth 1 and such).
>
> Now, we have two classes of client certs, based on the
> OU. Say, OU="Class 1" and OU="Class 2". We want to
> allow :
> - all users with "Class 1" certificates, and
> - users with "Class 2" certs ONLY when they are
> browsing from some IP addresses.
>
> Those IP addresses are not known in advance, and may
> be dynamic. Let's say we have an external list
> (updated by some mean, irrelevant to our problem). How
> can we check this list and correlate it with the OU
> from the client cert ? We thought that something like
>
> SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1"
> or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2"
> and %{REMOTE_ADDR} in { file("/tmp/list") } )
>
> (where /tmp/list is a list of allowed IP addresses)
> would be the way to go, but this utterly fails.

From looking at the code, I don't think that would work as you expect.

If /tmp/list contained "addr1 addr2 addr3", it would be equivalent to

and %{REMOTE_ADDR} in { "addr1 addr2 addr3" }

i.e. a direct match against the entire file contents, not

and %{REMOTE_ADDR} in { "addr", "addr2", "addr3" }

which is what you'd need.

It might be possible to express this requirement using some combination
of Require/Satisfy, or failing that, mod_rewrite; I'd recommend asking
on the httpd users' list instead:

http://httpd.apache.org/lists.html#http-users

if nothing works out you could file a bug, it might be possible to
enhance mod_ssl to make this work somehow.

joe
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org