From jokajak at fedoraproject.org  Wed Jun 30 19:43:28 2010
From: jokajak at fedoraproject.org (Josh)
Date: Wed, 30 Jun 2010 15:43:28 -0400
Subject: [Mod_nss-list] Client certificate subject alt names
Message-ID: <4C2B9E60.9040903@fedoraproject.org>

We have an application for mod_nss where we would like to verify the 
subject alt names of the client certificate to ensure that the client 
certificates have not been interchanged between systems.  Each of the 
clients has their own certificate that has a subject alt name that 
includes the clients IP address.

For instance:

ClientA has a certificate with CN=clientA and a subject alt name of 
IP:10.10.10.10

ClientB has a certificate with CN=clientB and a subject alt name of 
IP:10.20.20.20

We want to be able to verify that ClientA is using its certificate and 
is coming from 10.10.10.10 without knowing that clientA's dns maps back 
to 10.10.10.10.  If through some weird means clientA gets a hold of 
clientB's certificate the mod_nss server would reject the certificate 
because the IP address of the client would not match any of the subject 
alt names in the certificate.

I thought I might be able to do this using NSSRequire but none of the 
available fields appear to produce the contents of the x509v3 subject 
alt names extension.

Is there any way this can be achieved using the current version of mod_nss?

Thanks and let me know if more details are needed (I'm sure there are)...
-josh