[Mod_nss-list] SSL_CLIENT_SAN_IPAddr
Rob Crittenden
rcritten at redhat.com
Wed Feb 15 16:31:52 UTC 2017
Andrei Ivanov wrote:
> Hi,
> I'm trying to access the SSL_CLIENT_SAN_IPAddr variables that mod_nss
> should expose, from a Lua authorization script.
> The problem is that it doesn't seem to work :-(
>
> Following a suggestion from the users group, I used some RewriteRule to
> expose variables and some are visible, but the client SAN IP addresses
> are not:
>
> LuaScope thread
> LuaAuthzProvider remote_ip_in_client_san
> /etc/httpd/authz/authz_check_remote_ip_in_client_san.lua
> authz_check_remote_ip_in_client_san
> RewriteEngine On
> RewriteRule .* - [E=sanip:%{SSL:SSL_CLIENT_SAN_IPAddr_0}]
> RewriteRule .* - [E=c_verify:%{SSL:SSL_CLIENT_VERIFY}]
> RewriteRule .* - [E=c_s_dn:%{SSL:SSL_CLIENT_S_DN}]
> RewriteRule .* - [E=ssl_ver_if:%{SSL:SSL_VERSION_INTERFACE}]
> RewriteRule .* - [E=ssl_ver_lib:%{SSL:SSL_VERSION_LIBRARY}]
> <Location />
> Require remote_ip_in_client_san
> #NSSRequire %{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}
> #Require expr "%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddr}"
> </Location>
>
> The generated log:
> [Wed Feb 15 13:14:07.653866 2017] ssl ver if: mod_nss/1.0.14
> [Wed Feb 15 13:14:07.653871 2017] ssl ver lib: NSS/3.21 Basic ECC
> [Wed Feb 15 13:14:07.653876 2017] client verify: SUCCESS
> [Wed Feb 15 13:14:07.653881 2017] client DN:
> CN=client-with-subjectAltName-with-IPs
> [Wed Feb 15 13:14:07.653886 2017] sanip:
>
> Initially I hoped that mod_nss would expose all the SAN IP addresses as
> an array (SSL_CLIENT_SAN_IPAddr), but now I've read that it actually
> should create a variable for each, with a suffix
> (SSL_CLIENT_SAN_IPAddr_0), but that doesn't seem to be available either.
>
> What am I doing wrong?
> Please help.
Are the variables case-sensitive with rewrite rules? IF so you have a
typo, IPAddr vs IPaddr.
As far as I can tell the variable should be available.
rob
More information about the Mod_nss-list
mailing list