[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-modssl
Subject: Trying to compare client-cert pem-file to %{SSL_CLIENT_CERT}
From: Christoph Schmidt <Christoph.Schmidt () ubigrate ! com>
Date: 2010-02-15 8:09:25
Message-ID: F03912326135044EBAEB11CC7E3F84D8A58DE9DF8F () AUCKLAND ! ubigrate ! corp
[Download RAW message or body]
Dear subscribers!
For a custom update site, we want to binary-check the (self-signed) certificates sent \
by our client applications against a physical copy of the certificate residing on our \
server. (Standard matching rules are deployed and working, but considered "not \
enough".) The rules per application reside inside an .htaccess file per directory \
associated with the solution. The problem is that the comparison
SSLRequire ( %{SSL_CLIENT_CERT} == file("/pathto/solutionIDxyzabc/CERT.pem") )
always fails ("[info] Failed expression:"). Loading the certificate into a fresh \
environment variable doesn't improve the situation, neither does holding the \
pem-encoded certificate data directly inside the rule. When I output \
$_Server['SSL_CLIENT_CERT'] and the variable holding the reference certificate via \
php, I get seemingly identical outputs. I think, tho, that the differences are in the \
realm of the non-printable characters of the client certificate, like trailing \
spaces or line breaks, which can't be analyzed with php in the middle. Unfortunately, \
the rule can't be debugged so well in context, because of a lack of print statements \
in the configuration context. LogLevel debug states nothing more than that the rule \
given above failed to yield 'true'.
I checked the first couple dozen hits for "'SSL_CLIENT_CERT'" on Google, but all of \
them are either occurrences of the default configuration file (explaining that \
ExportCertData generates the input for SSL_CLIENT_CERT and SSL_SERVER_CERT) or \
concerned with handing the certificate through a proxy to a backend server, which \
doesn't apply to my situation. The mailing list archive didn't seem to have a \
matching problem either (and encumbers the search by removing the _'s from \
SSL_CLIENT_CERT' :P).
I would be grateful for any pointers towards how to implement this rule or a \
specification as to how SSL_CLIENT_CERT is formatted (i.e. how the reference \
file/data should look).
The versions used:
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# apache2 -v
Server version: Apache/2.2.8 (Ubuntu)
Server built: Jun 18 2009 08:45:39
Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 \
PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 \
Perl/v5.8.8 Server at * Port 443
Many thanks in advance!
Best regards,
--Christoph Schmidt
[Attachment #3 (text/html)]
<html xmlns:v="urn:schemas-microsoft-com:vml" \
xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=Content-Type content="text/html; charset=us-ascii">
<meta name=Generator content="Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;}
@page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=DE link=blue vlink=purple>
<div class=Section1>
<p class=MsoNormal><span lang=EN-US>Dear subscribers!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>For a custom update site, we want to binary-check
the (self-signed) certificates sent by our client applications against a
physical copy of the certificate residing on our server. (Standard matching
rules are deployed and working, but considered “not enough”.) The rules
per application reside inside an .htaccess file per directory associated with
the solution.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>The problem is that the comparison \
<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>SSLRequire ( %{SSL_CLIENT_CERT} ==
file("/pathto/solutionIDxyzabc/CERT.pem") )<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>always fails (“[info] Failed
expression:”). Loading the certificate into a fresh environment variable
doesn’t improve the situation, neither does holding the pem-encoded
certificate data directly inside the rule. When I output \
$_Server[‘SSL_CLIENT_CERT’] and the variable holding the reference \
certificate via php, I get seemingly identical outputs. I think, tho, that the \
differences are in the realm of the non-printable characters of the client \
certificate, like trailing spaces or line breaks, which can’t be analyzed with \
php in the middle. Unfortunately, the rule can’t be debugged so well in \
context, because of a lack of print statements in the configuration context. LogLevel \
debug states nothing more than that the rule given above failed to yield \
‘true’.<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I checked the first couple dozen hits for \
“’SSL_CLIENT_CERT’” on Google, but all of them are either \
occurrences of the default configuration file (explaining that ExportCertData \
generates the input for SSL_CLIENT_CERT and SSL_SERVER_CERT) or concerned with \
handing the certificate through a proxy to a backend server, which doesn’t \
apply to my situation. The mailing list archive didn’t seem to have a matching \
problem either (and encumbers the search by removing the _’s from \
SSL_CLIENT_CERT’ :P).<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>I would be grateful for any pointers
towards how to implement this rule or a specification as to how SSL_CLIENT_CERT
is formatted (i.e. how the reference file/data should look).<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>The versions used:<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># openssl version<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>OpenSSL 0.9.8g 19 Oct 2007<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US># apache2 -v<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Server version: Apache/2.2.8 \
(Ubuntu)<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Server built: Jun 18 2009
08:45:39<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6
mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.6 with
Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at
* Port 443<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Many thanks in advance!<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>Best regards,<o:p></o:p></span></p>
<p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p>
<p class=MsoNormal><span lang=EN-US>--Christoph Schmidt<o:p></o:p></span></p>
</div>
</body>
</html>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic