Bug 60456

Summary: export SSL_CLIENT_SAN_IPaddr variable
Product: Apache httpd-2 Reporter: Andrei Ivanov <andrei.ivanov>
Component: mod_sslAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: normal CC: szg0000
Priority: P2    
Version: 2.4.23   
Target Milestone: ---   
Hardware: PC   
OS: All   
Attachments: Proposed Patch for SAN IP

Description Andrei Ivanov 2016-12-08 15:44:58 UTC
Hello,
Trying to implement mutual authentication with IP matching, I noticed that mod_ssl doesn't export the client SAN IP.

http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?revision=1750840&view=markup#l1076

Please add SSL_CLIENT_SAN_IPaddr.

Thank you
Comment 1 Andrei Ivanov 2016-12-20 08:50:07 UTC
An even better fix would be to (also) have SSL_CLIENT_SAN_IPaddrs (note the plural) as a list, to allow an expression like this:

"%{REMOTE_ADDR} in %{SSL_CLIENT_SAN_IPaddrs}"

Without the list, I don't see how an expression like this can be properly written.

This is inspired from PeerExtList:
SSLRequire "foobar" in PeerExtList("1.2.3.4.5.6")
Comment 2 Andrei Ivanov 2017-01-12 14:55:03 UTC
Any thoughts?
Comment 3 Andrei Ivanov 2017-02-10 10:50:34 UTC
Anybody? :-(
Comment 4 abbotttodd 2017-03-07 17:55:05 UTC
Another user requesting this.  If devs are looking for justification then I create certificates for my machines with SAN with both DNS and IPAddr for my internal machines.  I use an internal private CA for both servers and clients.

I use the DNS for testing tools like postman, curl, etc... but we use the IPAddr for most other configurations and tools.  We would like the SAN IPAddr exposed so that we may verify it in the SSLRequire against the REMOTE_ADDR.  I would like to verify that the certificate is from that remote host and not another host as an additional check that the certificate was not somehow copied from the server and moved to another server like vm cloned accidentally or maliciously.

Hostnames are not available on our servers to verify so DNS is not useful at this layer.  While everything is spoofable this is just another mitigation.   Also since we are using apache as a proxy much of the SSL information is not forwarded to the application for additional verification.

I'd be happy with just SSL_CLIENT_SAN_IPADDR_# or similar but the list would also be nice.
Comment 5 abbotttodd 2017-08-07 21:26:28 UTC
Created attachment 35204 [details]
Proposed Patch for SAN IP

Proposed Patch for getting ipaddr from SSL client cert

Proxy config might look like:
SSLRequire ( %{REMOTE_ADDR} in { %{SSL_CLIENT_SAN_IP_0}, %{SSL_CLIENT_SAN_IP_1}, %{SSL_CLIENT_SAN_IP_2} } )

It basically clones the ip address print statement from openssl slightly altered as I could not see how to get openssl to do the formatting.  It generates IPv6 with lower case which is in line with what I saw with REMOTE_ADDR.
Comment 6 Andrei Ivanov 2017-08-08 06:54:06 UTC
Btw, my main problem, the filtering, was solved with the help of a patch from Yann Ylavic, pending inclusion:

http://mail-archives.apache.org/mod_mbox/httpd-dev/201707.mbox/%3CCAKQ1sVMZeDOLh62hE%2Bsrb92EgEWANjaoFkhOx5bD%3Dy4sG91wRg%40mail.gmail.com%3E

I still think it would be nice to have the SAN IP exposed as the rest of the variables.