https://bz.apache.org/bugzilla/show_bug.cgi?id=60456
--- Comment #4 from [email protected] --- Another user requesting this. If devs are looking for justification then I create certificates for my machines with SAN with both DNS and IPAddr for my internal machines. I use an internal private CA for both servers and clients. I use the DNS for testing tools like postman, curl, etc... but we use the IPAddr for most other configurations and tools. We would like the SAN IPAddr exposed so that we may verify it in the SSLRequire against the REMOTE_ADDR. I would like to verify that the certificate is from that remote host and not another host as an additional check that the certificate was not somehow copied from the server and moved to another server like vm cloned accidentally or maliciously. Hostnames are not available on our servers to verify so DNS is not useful at this layer. While everything is spoofable this is just another mitigation. Also since we are using apache as a proxy much of the SSL information is not forwarded to the application for additional verification. I'd be happy with just SSL_CLIENT_SAN_IPADDR_# or similar but the list would also be nice. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
