[Bug 60456] New: export SSL_CLIENT_SAN_IPaddr variable

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] New: export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

            Bug ID: 60456
           Summary: export SSL_CLIENT_SAN_IPaddr variable
           Product: Apache httpd-2
           Version: 2.4.23
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: ---

Hello,
Trying to implement mutual authentication with IP matching, I noticed that
mod_ssl doesn't export the client SAN IP.

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?revision=1750840&view=markup#l1076

Please add SSL_CLIENT_SAN_IPaddr.

Thank you

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

Andrei Ivanov <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 OS|                            |All

--- Comment #1 from Andrei Ivanov <[hidden email]> ---
An even better fix would be to (also) have SSL_CLIENT_SAN_IPaddrs (note the
plural) as a list, to allow an expression like this:

"%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddrs}"

Without the list, I don't see how an expression like this can be properly
written.

This is inspired from PeerExtList:
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #2 from Andrei Ivanov <[hidden email]> ---
Any thoughts?

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #3 from Andrei Ivanov <[hidden email]> ---
Anybody? :-(

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

Szőgyényi Gábor <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #4 from [hidden email] ---
Another user requesting this.  If devs are looking for justification then I
create certificates for my machines with SAN with both DNS and IPAddr for my
internal machines.  I use an internal private CA for both servers and clients.

I use the DNS for testing tools like postman, curl, etc... but we use the
IPAddr for most other configurations and tools.  We would like the SAN IPAddr
exposed so that we may verify it in the SSLRequire against the REMOTE_ADDR.  I
would like to verify that the certificate is from that remote host and not
another host as an additional check that the certificate was not somehow copied
from the server and moved to another server like vm cloned accidentally or
maliciously.

Hostnames are not available on our servers to verify so DNS is not useful at
this layer.  While everything is spoofable this is just another mitigation.  
Also since we are using apache as a proxy much of the SSL information is not
forwarded to the application for additional verification.

I'd be happy with just SSL_CLIENT_SAN_IPADDR_# or similar but the list would
also be nice.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #5 from [hidden email] ---
Created attachment 35204
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35204&action=edit
Proposed Patch for SAN IP

Proposed Patch for getting ipaddr from SSL client cert

Proxy config might look like:
SSLRequire ( %{REMOTE_ADDR} in { %{SSL_CLIENT_SAN_IP_0},
%{SSL_CLIENT_SAN_IP_1}, %{SSL_CLIENT_SAN_IP_2} } )

It basically clones the ip address print statement from openssl slightly
altered as I could not see how to get openssl to do the formatting.  It
generates IPv6 with lower case which is in line with what I saw with
REMOTE_ADDR.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 60456] export SSL_CLIENT_SAN_IPaddr variable

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=60456

--- Comment #6 from Andrei Ivanov <[hidden email]> ---
Btw, my main problem, the filtering, was solved with the help of a patch from
Yann Ylavic, pending inclusion:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201707.mbox/%3CCAKQ1sVMZeDOLh62hE%2Bsrb92EgEWANjaoFkhOx5bD%3Dy4sG91wRg%40mail.gmail.com%3E

I still think it would be nice to have the SAN IP exposed as the rest of the
variables.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Loading...