logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: accept or reject certificates using user certificate fields
Author
uv



Joined: 11 Feb 2019
Posts: 3

PostPosted: Sat 12 Dec '20 9:38    Post subject: accept or reject certificates using user certificate fields Reply with quote

Hi!

I would like to know, is it possible to filter traffic by using policy identifier number in end user certificate. My goal is to accept only certificates with specific policy identifier numbers and reject all other requests.

Thanks,

UV
Back to top
tangent
Moderator


Joined: 16 Aug 2020
Posts: 348
Location: UK

PostPosted: Sun 13 Dec '20 18:40    Post subject: Reply with quote

In the past, I've used the following type of logic in a directory block to restrict access to client certificates issued by a specific iintermediate CA.

Code:
SSLVerifyClient require
SSLVerifyDepth 2

<Directory "<path-to-apache>/htdocs/restricted"
    SSLRequireSSL
    Require expr ( \
      %{SSL_CLIENT_I_DN_CN} eq "Some Intermediate Certificate Authority" && \
      %{SSL_CLIENT_I_DN_OU} eq "Some Division OU" && \
      %{SSL_CLIENT_I_DN_O} eq "Some Company" && \
      %{SSL_CLIENT_I_DN_C} eq "Somewhere" && \
      %{SSL_CLIENT_V_REMAIN} ge "0" \
    )
</Directory>

The CA's we used did not include Policies, but would have thought adding a suitable PeerExtList entry would meet your requirements, viz.

Code:
    SSLRequireSSL
    Require expr ( \
      "My Policy" in PeerExtList("1.2.3.4.5.6") && \
      %{SSL_CLIENT_I_DN_CN} eq "Some Intermediate Certificate Authority" && \
      %{SSL_CLIENT_I_DN_OU} eq "Some Division OU" && \
      %{SSL_CLIENT_I_DN_O} eq "Some Company" && \
      %{SSL_CLIENT_I_DN_C} eq "Somewhere" && \
      %{SSL_CLIENT_V_REMAIN} ge "0" \
    )

Insert your OID or its shortname and details as appropriate.

See the SSLRequire Directive section of https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite for deprecated SSLRequire syntax, which mentions PeerExtList.


Last edited by tangent on Wed 16 Dec '20 0:35; edited 1 time in total
Back to top
uv



Joined: 11 Feb 2019
Posts: 3

PostPosted: Tue 15 Dec '20 11:52    Post subject: Reply with quote

Nice hint, thanks!

But unfortunately it seems we cannot use structured fields with peerextlist.
Back to top


Reply to topic   Topic: accept or reject certificates using user certificate fields View previous topic :: View next topic
Post new topic   Forum Index -> Apache