Dear subscribers!
For a custom update site, we want to binary-check the (self-signed)
certificates sent by our client applications against a physical copy of the
certificate residing on our server. (Standard matching rules are deployed and
working, but considered "not enough".) The rules per application reside inside
an .htaccess file per directory associated with the solution.
The problem is that the comparison
SSLRequire ( %{SSL_CLIENT_CERT} == file("/pathto/solutionIDxyzabc/CERT.pem") )
always fails ("[info] Failed expression:"). Loading the certificate into a
fresh environment variable doesn't improve the situation, neither does holding
the pem-encoded certificate data directly inside the rule. When I output
$_Server['SSL_CLIENT_CERT'] and the variable holding the reference certificate
via php, I get seemingly identical outputs. I think, tho, that the differences
are in the realm of the non-printable characters of the client certificate,
like trailing spaces or line breaks, which can't be analyzed with php in the
middle. Unfortunately, the rule can't be debugged so well in context, because
of a lack of print statements in the configuration context. LogLevel debug
states nothing more than that the rule given above failed to yield 'true'.
I checked the first couple dozen hits for "'SSL_CLIENT_CERT'" on Google, but
all of them are either occurrences of the default configuration file
(explaining that ExportCertData generates the input for SSL_CLIENT_CERT and
SSL_SERVER_CERT) or concerned with handing the certificate through a proxy to a
backend server, which doesn't apply to my situation. The mailing list archive
didn't seem to have a matching problem either (and encumbers the search by
removing the _'s from SSL_CLIENT_CERT' :P).
I would be grateful for any pointers towards how to implement this rule or a
specification as to how SSL_CLIENT_CERT is formatted (i.e. how the reference
file/data should look).
The versions used:
# openssl version
OpenSSL 0.9.8g 19 Oct 2007
# apache2 -v
Server version: Apache/2.2.8 (Ubuntu)
Server built: Jun 18 2009 08:45:39
Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_jk/1.2.25 mod_python/3.3.1
Python/2.5.2 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8
OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at * Port 443
Many thanks in advance!
Best regards,
--Christoph Schmidt
