From andrei.ivanov at gmail.com Tue Feb 7 12:01:27 2017 From: andrei.ivanov at gmail.com (Andrei Ivanov) Date: Tue, 7 Feb 2017 14:01:27 +0200 Subject: [Mod_nss-list] Windows binaries or build instructions Message-ID: Hi, I'm trying to evaluate the use of mod_nss and since I have Windows on my laptop, I'm searching for Windows binaries for mod_nss, or at least instructions on how to build it for this environment. I've searched on Google but I didn't find them. Any suggestions? Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Feb 7 14:01:07 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 7 Feb 2017 09:01:07 -0500 Subject: [Mod_nss-list] Windows binaries or build instructions In-Reply-To: References: Message-ID: <4c8ef4bc-0fcb-2c93-c27c-38eee9744d24@redhat.com> Andrei Ivanov wrote: > Hi, > I'm trying to evaluate the use of mod_nss and since I have Windows on my > laptop, I'm searching for Windows binaries for mod_nss, or at least > instructions on how to build it for this environment. > > I've searched on Google but I didn't find them. > Any suggestions? Sorry, I've never tried to build this in Windows (I don't even have an environment to try in). Assuming mod_ssl is buildable in Windows you might try starting with that project file. Some of the dependencies are the same, you'd just replace OpenSSL with NSS and NSPR. rob From andrei.ivanov at gmail.com Mon Feb 13 17:03:00 2017 From: andrei.ivanov at gmail.com (Andrei Ivanov) Date: Mon, 13 Feb 2017 19:03:00 +0200 Subject: [Mod_nss-list] client SAN entries in expression Message-ID: Hi, I'm trying to configure a virtual host to perform some kind of mutual authentication using client certificates, performing an extra type of validation: NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} The problem at the moment seems to be that this expression is considered invalid :-( I've also tried with Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" Still error :-( AH00526: Syntax error on line 174 of /etc/httpd/conf.d/nss.conf: Cannot parse expression in require line: syntax error, unexpected $end Is this kind of expression really not supported? What are my options for such an expression? Thank you in advance -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Mon Feb 13 20:00:57 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Mon, 13 Feb 2017 15:00:57 -0500 Subject: [Mod_nss-list] client SAN entries in expression In-Reply-To: References: Message-ID: <10e6587f-8d79-4df9-c987-1142cf2c45bd@redhat.com> Andrei Ivanov wrote: > Hi, > I'm trying to configure a virtual host to perform some kind of mutual > authentication using client certificates, performing an extra type of > validation: > > > NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} > > > The problem at the moment seems to be that this expression is considered > invalid :-( > > I've also tried with > Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > Still error :-( > > AH00526: Syntax error on line 174 of /etc/httpd/conf.d/nss.conf: > Cannot parse expression in require line: syntax error, unexpected $end > > Is this kind of expression really not supported? > What are my options for such an expression? This isn't supported and I imagine the parsing engine would need to be extended quite a bit to do so. I don't know of a dynamic way to do this, you'd have to hardcode the SAN list into the config. rob From andrei.ivanov at gmail.com Mon Feb 13 20:13:21 2017 From: andrei.ivanov at gmail.com (Andrei Ivanov) Date: Mon, 13 Feb 2017 22:13:21 +0200 Subject: [Mod_nss-list] client SAN entries in expression In-Reply-To: <10e6587f-8d79-4df9-c987-1142cf2c45bd@redhat.com> References: <10e6587f-8d79-4df9-c987-1142cf2c45bd@redhat.com> Message-ID: On Mon, Feb 13, 2017 at 10:00 PM, Rob Crittenden wrote: > Andrei Ivanov wrote: > > Hi, > > I'm trying to configure a virtual host to perform some kind of mutual > > authentication using client certificates, performing an extra type of > > validation: > > > > > > NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} > > > > > > The problem at the moment seems to be that this expression is considered > > invalid :-( > > > > I've also tried with > > Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > > > Still error :-( > > > > AH00526: Syntax error on line 174 of /etc/httpd/conf.d/nss.conf: > > Cannot parse expression in require line: syntax error, unexpected $end > > > > Is this kind of expression really not supported? > > What are my options for such an expression? > > This isn't supported and I imagine the parsing engine would need to be > extended quite a bit to do so. > > I don't know of a dynamic way to do this, you'd have to hardcode the SAN > list into the config. > > rob > > Uf, the idea was to have each client certificate hold the list of IPs for which it is valid, similar to the DNS entries. And I was so happy seeing that mod_nss exports the SSL_CLIENT_SAN_IPaddr (and as an array) vs mod_ssl. I guess I'll create a ticket to get this kind of expression supported, but I won't count on getting it implemented. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Tue Feb 14 22:37:46 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Tue, 14 Feb 2017 17:37:46 -0500 Subject: [Mod_nss-list] Project has migrated to Pagure Message-ID: The fedorahosted.org site is going to sunset in a few weeks. The mod_nss project has migrated to Pagure at https://pagure.io/mod_nss The old project will live at the fedorahosted.org site for a bit longer but will be marked as read-only. rob From andrei.ivanov at gmail.com Wed Feb 15 11:24:00 2017 From: andrei.ivanov at gmail.com (Andrei Ivanov) Date: Wed, 15 Feb 2017 13:24:00 +0200 Subject: [Mod_nss-list] SSL_CLIENT_SAN_IPAddr Message-ID: Hi, I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss should expose, from a Lua authorization script. The problem is that it doesn't seem to work :-( Following a suggestion from the users group, I used some RewriteRule to expose variables and some are visible, but the client SAN IP addresses are not: LuaScope thread LuaAuthzProvider remote_ip_in_client_san /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua authz_check_remote_ip_in_client_san RewriteEngine On RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}] RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}] RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}] RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}] RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}] Require remote_ip_in_client_san #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" The generated log: [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14 [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS [Wed Feb 15 13:14:07.653881 2017] client DN: CN=client-with-subjectAltName-with-IPs [Wed Feb 15 13:14:07.653886 2017] sanip: Initially I hoped that mod_nss would expose all the SAN IP addresses as an array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually should create a variable for each, with a suffix (SSL_CLIENT_SAN_IPAddr_0), but that doesn't seem to be available either. What am I doing wrong? Please help. Thank you. -------------- next part -------------- An HTML attachment was scrubbed... URL: From andrei.ivanov at gmail.com Wed Feb 15 14:05:52 2017 From: andrei.ivanov at gmail.com (Andrei Ivanov) Date: Wed, 15 Feb 2017 16:05:52 +0200 Subject: [Mod_nss-list] SSL_CLIENT_SAN_IPAddr In-Reply-To: References: Message-ID: On Wed, Feb 15, 2017 at 1:24 PM, Andrei Ivanov wrote: > Hi, > I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss > should expose, from a Lua authorization script. > The problem is that it doesn't seem to work :-( > > Following a suggestion from the users group, I used some RewriteRule to > expose variables and some are visible, but the client SAN IP addresses are > not: > > I've also tried with SSL_CLIENT_SAN_IPaddr_0, as the source code seems to be using it, still no luck :-( I've checked with SSL_CLIENT_SAN_Email_0 and that works, so it might be an IP address type issue (?) LuaScope thread > LuaAuthzProvider remote_ip_in_client_san /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua > authz_check_remote_ip_in_client_san > RewriteEngine On > RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}] > RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}] > RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}] > RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}] > RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}] > > Require remote_ip_in_client_san > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > > The generated log: > [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14 > [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC > [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS > [Wed Feb 15 13:14:07.653881 2017] client DN: CN=client-with-subjectAltName- > with-IPs > [Wed Feb 15 13:14:07.653886 2017] sanip: > > Initially I hoped that mod_nss would expose all the SAN IP addresses as an > array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually should > create a variable for each, with a suffix (SSL_CLIENT_SAN_IPAddr_0), but > that doesn't seem to be available either. > > What am I doing wrong? > Please help. > > Thank you. > -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Feb 15 16:31:52 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Feb 2017 11:31:52 -0500 Subject: [Mod_nss-list] SSL_CLIENT_SAN_IPAddr In-Reply-To: References: Message-ID: <0f439bdc-404c-a0d3-716e-43b90a911755@redhat.com> Andrei Ivanov wrote: > Hi, > I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss > should expose, from a Lua authorization script. > The problem is that it doesn't seem to work :-( > > Following a suggestion from the users group, I used some RewriteRule to > expose variables and some are visible, but the client SAN IP addresses > are not: > > LuaScope thread > LuaAuthzProvider remote_ip_in_client_san > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua > authz_check_remote_ip_in_client_san > RewriteEngine On > RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}] > RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}] > RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}] > RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}] > RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}] > > Require remote_ip_in_client_san > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > > The generated log: > [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14 > [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC > [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS > [Wed Feb 15 13:14:07.653881 2017] client DN: > CN=client-with-subjectAltName-with-IPs > [Wed Feb 15 13:14:07.653886 2017] sanip: > > Initially I hoped that mod_nss would expose all the SAN IP addresses as > an array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually > should create a variable for each, with a suffix > (SSL_CLIENT_SAN_IPAddr_0), but that doesn't seem to be available either. > > What am I doing wrong? > Please help. Are the variables case-sensitive with rewrite rules? IF so you have a typo, IPAddr vs IPaddr. As far as I can tell the variable should be available. rob From andrei.ivanov at gmail.com Wed Feb 15 16:35:38 2017 From: andrei.ivanov at gmail.com (Andrei Ivanov) Date: Wed, 15 Feb 2017 18:35:38 +0200 Subject: [Mod_nss-list] SSL_CLIENT_SAN_IPAddr In-Reply-To: <0f439bdc-404c-a0d3-716e-43b90a911755@redhat.com> References: <0f439bdc-404c-a0d3-716e-43b90a911755@redhat.com> Message-ID: On Wed, Feb 15, 2017 at 6:31 PM, Rob Crittenden wrote: > Andrei Ivanov wrote: > > Hi, > > I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss > > should expose, from a Lua authorization script. > > The problem is that it doesn't seem to work :-( > > > > Following a suggestion from the users group, I used some RewriteRule to > > expose variables and some are visible, but the client SAN IP addresses > > are not: > > > > LuaScope thread > > LuaAuthzProvider remote_ip_in_client_san > > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua > > authz_check_remote_ip_in_client_san > > RewriteEngine On > > RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}] > > RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}] > > RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}] > > RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}] > > RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}] > > > > Require remote_ip_in_client_san > > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} > > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > > > > > The generated log: > > [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14 > > [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC > > [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS > > [Wed Feb 15 13:14:07.653881 2017] client DN: > > CN=client-with-subjectAltName-with-IPs > > [Wed Feb 15 13:14:07.653886 2017] sanip: > > > > Initially I hoped that mod_nss would expose all the SAN IP addresses as > > an array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually > > should create a variable for each, with a suffix > > (SSL_CLIENT_SAN_IPAddr_0), but that doesn't seem to be available either. > > > > What am I doing wrong? > > Please help. > > Are the variables case-sensitive with rewrite rules? IF so you have a > typo, IPAddr vs IPaddr. > > As far as I can tell the variable should be available. > > rob > > I've also tried with SSL_CLIENT_SAN_IPaddr_0, as the source code seems to be using it (as oposed to the documentation), still no luck :-( I've checked with SSL_CLIENT_SAN_Email_0 and that works, so it might be an IP address type issue (?) -------------- next part -------------- An HTML attachment was scrubbed... URL: From rcritten at redhat.com Wed Feb 15 16:37:13 2017 From: rcritten at redhat.com (Rob Crittenden) Date: Wed, 15 Feb 2017 11:37:13 -0500 Subject: [Mod_nss-list] SSL_CLIENT_SAN_IPAddr In-Reply-To: References: <0f439bdc-404c-a0d3-716e-43b90a911755@redhat.com> Message-ID: Andrei Ivanov wrote: > > On Wed, Feb 15, 2017 at 6:31 PM, Rob Crittenden > wrote: > > Andrei Ivanov wrote: > > Hi, > > I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss > > should expose, from a Lua authorization script. > > The problem is that it doesn't seem to work :-( > > > > Following a suggestion from the users group, I used some > RewriteRule to > > expose variables and some are visible, but the client SAN IP addresses > > are not: > > > > LuaScope thread > > LuaAuthzProvider remote_ip_in_client_san > > /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua > > authz_check_remote_ip_in_client_san > > RewriteEngine On > > RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}] > > RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}] > > RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}] > > RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}] > > RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}] > > > > Require remote_ip_in_client_san > > #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr} > > #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}" > > > > > > The generated log: > > [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14 > > [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC > > [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS > > [Wed Feb 15 13:14:07.653881 2017] client DN: > > CN=client-with-subjectAltName-with-IPs > > [Wed Feb 15 13:14:07.653886 2017] sanip: > > > > Initially I hoped that mod_nss would expose all the SAN IP > addresses as > > an array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually > > should create a variable for each, with a suffix > > (SSL_CLIENT_SAN_IPAddr_0), but that doesn't seem to be available > either. > > > > What am I doing wrong? > > Please help. > > Are the variables case-sensitive with rewrite rules? IF so you have a > typo, IPAddr vs IPaddr. > > As far as I can tell the variable should be available. > > rob > > > I've also tried with SSL_CLIENT_SAN_IPaddr_0, as the source code seems > to be using it (as oposed to the documentation), still no luck :-( > I've checked with SSL_CLIENT_SAN_Email_0 and that works, so it might be > an IP address type issue (?) You can try to confirm by creating a short cgi that prints the environment and requires a client cert and pointing your client at that to see what comes out. rob