'Trying to compare client-cert pem-file to %{SSL_CLIENT_CERT}'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modssl
Subject:    Trying to compare client-cert pem-file to %{SSL_CLIENT_CERT}
From:       Christoph Schmidt <Christoph.Schmidt () ubigrate ! com>
Date:       2010-02-15 8:09:25
Message-ID: F03912326135044EBAEB11CC7E3F84D8A58DE9DF8F () AUCKLAND ! ubigrate ! corp
[Download RAW message or body]

Dear subscribers!

For a custom update site, we want to binary-check the (self-signed) certificates sent \
by our client applications against a physical copy of the certificate residing on our \
server. (Standard matching rules are deployed and working, but considered "not \
enough".) The rules per application reside inside an .htaccess file per directory \
associated with the solution. The problem is that the comparison

SSLRequire ( %{SSL_CLIENT_CERT} == file("/pathto/solutionIDxyzabc/CERT.pem") )

always fails ("[info] Failed expression:"). Loading the certificate into a fresh \
environment variable doesn't improve the situation, neither does holding the \
pem-encoded certificate data directly inside the rule. When I output \
$_Server['SSL_CLIENT_CERT'] and the variable holding the reference certificate via \
php, I get seemingly identical outputs. I think, tho, that the differences are in the \
realm of the non-printable characters of  the client certificate, like trailing \
spaces or line breaks, which can't be analyzed with php in the middle. Unfortunately, \
the rule can't be debugged so well in context, because of a lack of print statements \
in the configuration context. LogLevel debug states nothing more than that the rule \
given above failed to yield 'true'.

I checked the first couple dozen hits for "'SSL_CLIENT_CERT'" on Google, but all of \
them are either occurrences of the default configuration file (explaining that \
ExportCertData generates the input for SSL_CLIENT_CERT and SSL_SERVER_CERT) or \
concerned with handing the certificate through a proxy to a backend server, which \
doesn't apply to my situation. The mailing list archive didn't seem to have a \
matching problem either (and encumbers the search by removing the _'s from \
SSL_CLIENT_CERT' :P).

I would be grateful for any pointers towards how to implement this rule or a \
specification as to how SSL_CLIENT_CERT is formatted (i.e. how the reference \
file/data should look).

The versions used:
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# apache2 -v
Server version: Apache/2.2.8 (Ubuntu)
Server built:   Jun 18 2009 08:45:39
Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 \
PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 \
Perl/v5.8.8 Server at * Port 443

Many thanks in advance!

Best regards,

--Christoph Schmidt


[Attachment #3 (text/html)]

<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">

<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
 /* Font Definitions */
 @font-face
	{font-family:"Cambria Math";
	panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
	{font-family:Calibri;
	panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
	{font-family:Tahoma;
	panose-1:2 11 6 4 3 5 4 4 2 4;}
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0cm;
	margin-bottom:.0001pt;
	font-size:11.0pt;
	font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
	{mso-style-priority:99;
	color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{mso-style-priority:99;
	color:purple;
	text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
	{mso-style-priority:99;
	mso-style-link:"Balloon Text Char";
	margin:0cm;
	margin-bottom:.0001pt;
	font-size:8.0pt;
	font-family:"Tahoma","sans-serif";}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:"Calibri","sans-serif";
	color:windowtext;}
span.BalloonTextChar
	{mso-style-name:"Balloon Text Char";
	mso-style-priority:99;
	mso-style-link:"Balloon Text";
	font-family:"Tahoma","sans-serif";}
.MsoChpDefault
	{mso-style-type:export-only;}
@page Section1
	{size:612.0pt 792.0pt;
	margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.Section1
	{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
 <o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
 <o:shapelayout v:ext="edit">
  <o:idmap v:ext="edit" data="1" />
 </o:shapelayout></xml><![endif]-->
</head>

<body lang=DE link=blue vlink=purple>

<div class=Section1>

<p class=MsoNormal><span lang=EN-US>Dear subscribers!<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>For a custom update site, we want to binary-check
the (self-signed) certificates sent by our client applications against a
physical copy of the certificate residing on our server. (Standard matching
rules are deployed and working, but considered &#8220;not enough&#8221;.) The rules
per application reside inside an .htaccess file per directory associated with
the solution.<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US>The problem is that the comparison \
<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>SSLRequire ( %{SSL_CLIENT_CERT} ==
file(&quot;/pathto/solutionIDxyzabc/CERT.pem&quot;) )<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>always fails (&#8220;[info] Failed
expression:&#8221;). Loading the certificate into a fresh environment variable
doesn&#8217;t improve the situation, neither does holding the pem-encoded
certificate data directly inside the rule. When I output \
$_Server[&#8216;SSL_CLIENT_CERT&#8217;] and the variable holding the reference \
certificate via php, I get seemingly identical outputs. I think, tho, that the \
differences are in the realm of the non-printable characters of &nbsp;the client \
certificate, like trailing spaces or line breaks, which can&#8217;t be analyzed with \
php in the middle. Unfortunately, the rule can&#8217;t be debugged so well in \
context, because of a lack of print statements in the configuration context. LogLevel \
debug states nothing more than that the rule given above failed to yield \
&#8216;true&#8217;.<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>I checked the first couple dozen hits for \
&#8220;&#8217;SSL_CLIENT_CERT&#8217;&#8221; on Google, but all of them are either \
occurrences of the default configuration file (explaining that ExportCertData \
generates the input for SSL_CLIENT_CERT and SSL_SERVER_CERT) or concerned with \
handing the certificate through a proxy to a backend server, which doesn&#8217;t \
apply to my situation. The mailing list archive didn&#8217;t seem to have a matching \
problem either (and encumbers the search by removing the _&#8217;s from \
SSL_CLIENT_CERT&#8217; :P).<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>I would be grateful for any pointers
towards how to implement this rule or a specification as to how SSL_CLIENT_CERT
is formatted (i.e. how the reference file/data should look).<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>The versions used:<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US># openssl version<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US>OpenSSL 0.9.8g 19 Oct 2007<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US># apache2 -v<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US>Server version: Apache/2.2.8 \
(Ubuntu)<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US>Server built:&nbsp;&nbsp; Jun 18 2009
08:45:39<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US>Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6
mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.6 with
Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at
* Port 443<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>Many thanks in advance!<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>Best regards,<o:p></o:p></span></p>

<p class=MsoNormal><span lang=EN-US><o:p>&nbsp;</o:p></span></p>

<p class=MsoNormal><span lang=EN-US>--Christoph Schmidt<o:p></o:p></span></p>

</div>

</body>

</html>


______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      modssl-users@modssl.org
Automated List Manager                            majordomo@modssl.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic