Hello,

how can I restrict access to my Apache to owners of certain individual
certificates?

I have tried the following (it doesn=B4t work, however):

SSLREQUIRE %{SSL_CLIENT_S_DN_UID} in {"<Subject Key Identifyer1>","<Subject=

Key Identifyer2>",...}

where <Subject Key Identifyer> is the X509 extension Subject Key Identifyer=
of
the client=B4s certificate.
I tried it with colons and without.
The expression always results in false.

What is the corresponding value for SSL_CLIENT_S_DN_UID in a certificate?

Thanks

Harry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Helps if I send this from the address that is actually subscribed to the li=
st...

resending

---------- Forwarded message ----------
From: Cliff Woolley
Date: Oct 12, 2005 7:41 AM
Subject: Re: How to allow only certain Certificates
To: modssl-users [at] modssl.org


On 10/12/05, Dr. Harry Knitter <harry [at] knitter-edv-beratung.de> wrote:
> how can I restrict access to my Apache to owners of certain individual
> certificates?

Sounds like a good case for FakeBasicAuth combined with Require User.

http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions

Hope this helps,
Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Am Freitag, 14. Oktober 2005 13:38 schrieb Cliff Woolley:
> Helps if I send this from the address that is actually subscribed to the
> list...
>
> resending
>
> ---------- Forwarded message ----------
> From: Cliff Woolley
> Date: Oct 12, 2005 7:41 AM
> Subject: Re: How to allow only certain Certificates
> To: modssl-users [at] modssl.org
>
> On 10/12/05, Dr. Harry Knitter <harry [at] knitter-edv-beratung.de> wrote:
> > how can I restrict access to my Apache to owners of certain individual
> > certificates?
>
> Sounds like a good case for FakeBasicAuth combined with Require User.
>
> http://httpd.apache.org/docs/2.0/mod/mod_ssl.html#ssloptions
>
> Hope this helps,
> Cliff


Thanks, however, I=B4d prefer something like the Unique Subject Identifyer =
or
perhaps the Fingerprints. DNs can be faked easy.

Harry
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On 10/14/05, Dr. Harry Knitter <harry [at] knitter-edv-beratung.de> wrote:

> Thanks, however, I=B4d prefer something like the Unique Subject Identifye=
r or
> perhaps the Fingerprints. DNs can be faked easy.

Not if you require your own CA as the issuing authority using
SSLCACertificateFile and SSLRequire, they can't...

--Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org