From rcritten at redhat.com  Tue Jul  6 18:02:58 2010
From: rcritten at redhat.com (Rob Crittenden)
Date: Tue, 06 Jul 2010 14:02:58 -0400
Subject: [Mod_nss-list] Client certificate subject alt names
In-Reply-To: <4C2B9E60.9040903@fedoraproject.org>
References: <4C2B9E60.9040903@fedoraproject.org>
Message-ID: <4C336FD2.3060102@redhat.com>

Josh wrote:
> We have an application for mod_nss where we would like to verify the 
> subject alt names of the client certificate to ensure that the client 
> certificates have not been interchanged between systems.  Each of the 
> clients has their own certificate that has a subject alt name that 
> includes the clients IP address.
> 
> For instance:
> 
> ClientA has a certificate with CN=clientA and a subject alt name of 
> IP:10.10.10.10
> 
> ClientB has a certificate with CN=clientB and a subject alt name of 
> IP:10.20.20.20
> 
> We want to be able to verify that ClientA is using its certificate and 
> is coming from 10.10.10.10 without knowing that clientA's dns maps back 
> to 10.10.10.10.  If through some weird means clientA gets a hold of 
> clientB's certificate the mod_nss server would reject the certificate 
> because the IP address of the client would not match any of the subject 
> alt names in the certificate.
> 
> I thought I might be able to do this using NSSRequire but none of the 
> available fields appear to produce the contents of the x509v3 subject 
> alt names extension.
> 
> Is there any way this can be achieved using the current version of mod_nss?
> 
> Thanks and let me know if more details are needed (I'm sure there are)...
> -josh

Sorry for the delay in responding.

Unfortunately mod_nss doesn't support pulling certificate extensions yet 
(mod_ssl does).

If you need this functionality added you can file an RFE here: 
https://bugzilla.redhat.com/enter_bug.cgi?product=Fedora&component=mod_nss

regards

rob