Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: accept or reject certificates using user certificate fields |
|
| Author |
|
uv
Joined: 11 Feb 2019
Posts: 3
|
 Posted: Sat 12 Dec '20 9:38 Post subject: accept or reject certificates using user certificate fields |
 |
|
Hi!
I would like to know, is it possible to filter traffic by using policy identifier number in end user certificate. My goal is to accept only certificates with specific policy identifier numbers and reject all other requests.
Thanks,
UV |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 312
Location: UK
|
| Posted: Sun 13 Dec '20 18:40 Post subject: |
|
|
In the past, I've used the following type of logic in a directory block to restrict access to client certificates issued by a specific iintermediate CA.
| Code: | SSLVerifyClient require
SSLVerifyDepth 2
<Directory "<path-to-apache>/htdocs/restricted"
SSLRequireSSL
Require expr ( \
%{SSL_CLIENT_I_DN_CN} eq "Some Intermediate Certificate Authority" && \
%{SSL_CLIENT_I_DN_OU} eq "Some Division OU" && \
%{SSL_CLIENT_I_DN_O} eq "Some Company" && \
%{SSL_CLIENT_I_DN_C} eq "Somewhere" && \
%{SSL_CLIENT_V_REMAIN} ge "0" \
)
</Directory> |
The CA's we used did not include Policies, but would have thought adding a suitable PeerExtList entry would meet your requirements, viz.
| Code: | SSLRequireSSL
Require expr ( \
"My Policy" in PeerExtList("1.2.3.4.5.6") && \
%{SSL_CLIENT_I_DN_CN} eq "Some Intermediate Certificate Authority" && \
%{SSL_CLIENT_I_DN_OU} eq "Some Division OU" && \
%{SSL_CLIENT_I_DN_O} eq "Some Company" && \
%{SSL_CLIENT_I_DN_C} eq "Somewhere" && \
%{SSL_CLIENT_V_REMAIN} ge "0" \
) |
Insert your OID or its shortname and details as appropriate.
See the SSLRequire Directive section of https://httpd.apache.org/docs/current/mod/mod_ssl.html#sslciphersuite for deprecated SSLRequire syntax, which mentions PeerExtList.
Last edited by tangent on Wed 16 Dec '20 0:35; edited 1 time in total |
|
| Back to top |
|
uv
Joined: 11 Feb 2019
Posts: 3
|
| Posted: Tue 15 Dec '20 11:52 Post subject: |
|
|
Nice hint, thanks!
But unfortunately it seems we cannot use structured fields with peerextlist. |
|
| Back to top |
|
|
|
|
|
|
