--_000_F03912326135044EBAEB11CC7E3F84D8A58DE9DF8FAUCKLANDubi gr_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Dear subscribers!
For a custom update site, we want to binary-check the (self-signed) certifi=
cates sent by our client applications against a physical copy of the certif=
icate residing on our server. (Standard matching rules are deployed and wor=
king, but considered "not enough".) The rules per application reside inside=
an .htaccess file per directory associated with the solution.
The problem is that the comparison
SSLRequire ( %{SSL_CLIENT_CERT} =3D=3D file("/pathto/solutionIDxyzabc/CERT.=
pem") )
always fails ("[info] Failed expression:"). Loading the certificate into a =
fresh environment variable doesn't improve the situation, neither does hold=
ing the pem-encoded certificate data directly inside the rule. When I outpu=
t $_Server['SSL_CLIENT_CERT'] and the variable holding the reference certif=
icate via php, I get seemingly identical outputs. I think, tho, that the di=
fferences are in the realm of the non-printable characters of the client c=
ertificate, like trailing spaces or line breaks, which can't be analyzed wi=
th php in the middle. Unfortunately, the rule can't be debugged so well in =
context, because of a lack of print statements in the configuration context=
.. LogLevel debug states nothing more than that the rule given above failed =
to yield 'true'.
I checked the first couple dozen hits for "'SSL_CLIENT_CERT'" on Google, bu=
t all of them are either occurrences of the default configuration file (exp=
laining that ExportCertData generates the input for SSL_CLIENT_CERT and SSL=
_SERVER_CERT) or concerned with handing the certificate through a proxy to =
a backend server, which doesn't apply to my situation. The mailing list arc=
hive didn't seem to have a matching problem either (and encumbers the searc=
h by removing the _'s from SSL_CLIENT_CERT' :P).
I would be grateful for any pointers towards how to implement this rule or =
a specification as to how SSL_CLIENT_CERT is formatted (i.e. how the refere=
nce file/data should look).
The versions used:
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# apache2 -v
Server version: Apache/2.2.8 (Ubuntu)
Server built: Jun 18 2009 08:45:39
Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_jk/1.2.25 mod_python/3.3.1 Python=
/2.5.2 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g=
mod_perl/2.0.3 Perl/v5.8.8 Server at * Port 443
Many thanks in advance!
Best regards,
--Christoph Schmidt
--_000_F03912326135044EBAEB11CC7E3F84D8A58DE9DF8FAUCKLANDubi gr_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3DContent-Type content=3D"text/html; charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 12 (filtered medium)">
<style>
<!--
/* Font Definitions */
[at] font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
[at] font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
[at] font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
..MsoChpDefault
{mso-style-type:export-only;}
[at] page Section1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.Section1
{page:Section1;}
-->
</style>
<!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3DDE link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><span lang=3DEN-US>Dear subscribers!<o:p></o:p></span>=
</p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>For a custom update site, we want t=
o binary-check
the (self-signed) certificates sent by our client applications against a
physical copy of the certificate residing on our server. (Standard matching
rules are deployed and working, but considered “not enough”.) T=
he rules
per application reside inside an .htaccess file per directory associated wi=
th
the solution.<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>The problem is that the comparison =
<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>SSLRequire ( %{SSL_CLIENT_CERT} =3D=
=3D
file("/pathto/solutionIDxyzabc/CERT.pem") )<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>always fails (“[info] Failed
expression:”). Loading the certificate into a fresh environment varia=
ble
doesn’t improve the situation, neither does holding the pem-encoded
certificate data directly inside the rule. When I output $_Server[‘SS=
L_CLIENT_CERT’]
and the variable holding the reference certificate via php, I get seemingly=
identical
outputs. I think, tho, that the differences are in the realm of the
non-printable characters of the client certificate, like trailing spa=
ces
or line breaks, which can’t be analyzed with php in the middle. Unfor=
tunately,
the rule can’t be debugged so well in context, because of a lack of p=
rint
statements in the configuration context. LogLevel debug states nothing more
than that the rule given above failed to yield ‘true’.<o:p></o:=
p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>I checked the first couple dozen hi=
ts for “’SSL_CLIENT_CERT’”
on Google, but all of them are either occurrences of the default configurat=
ion
file (explaining that ExportCertData generates the input for SSL_CLIENT_CER=
T
and SSL_SERVER_CERT) or concerned with handing the certificate through a pr=
oxy
to a backend server, which doesn’t apply to my situation. The mailing
list archive didn’t seem to have a matching problem either (and encum=
bers
the search by removing the _’s from SSL_CLIENT_CERT’ :P).<o:p><=
/o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>I would be grateful for any pointer=
s
towards how to implement this rule or a specification as to how SSL_CLIENT_=
CERT
is formatted (i.e. how the reference file/data should look).<o:p></o:p></sp=
an></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>The versions used:<o:p></o:p></span=
></p>
<p class=3DMsoNormal><span lang=3DEN-US># openssl version<o:p></o:p></span>=
</p>
<p class=3DMsoNormal><span lang=3DEN-US>OpenSSL 0.9.8g 19 Oct 2007<o:p></o:=
p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US># apache2 -v<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>Server version: Apache/2.2.8 (Ubunt=
u)<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>Server built: Jun 18 20=
09
08:45:39<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4=
..6
mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.6 with
Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Serve=
r at
* Port 443<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>Many thanks in advance!<o:p></o:p><=
/span></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>Best regards,<o:p></o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US><o:p> </o:p></span></p>
<p class=3DMsoNormal><span lang=3DEN-US>--Christoph Schmidt<o:p></o:p></spa=
n></p>
</div>
</body>
</html>
--_000_F03912326135044EBAEB11CC7E3F84D8A58DE9DF8FAUCKLANDubi gr_--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
