Dear subscribers! For a custom update site, we want to binary-check the (self-signed) certificates sent by our client applications against a physical copy of the certificate residing on our server. (Standard matching rules are deployed and working, but considered "not enough".) The rules per application reside inside an .htaccess file per directory associated with the solution. The problem is that the comparison
SSLRequire ( %{SSL_CLIENT_CERT} == file("/pathto/solutionIDxyzabc/CERT.pem") ) always fails ("[info] Failed expression:"). Loading the certificate into a fresh environment variable doesn't improve the situation, neither does holding the pem-encoded certificate data directly inside the rule. When I output $_Server['SSL_CLIENT_CERT'] and the variable holding the reference certificate via php, I get seemingly identical outputs. I think, tho, that the differences are in the realm of the non-printable characters of the client certificate, like trailing spaces or line breaks, which can't be analyzed with php in the middle. Unfortunately, the rule can't be debugged so well in context, because of a lack of print statements in the configuration context. LogLevel debug states nothing more than that the rule given above failed to yield 'true'. I checked the first couple dozen hits for "'SSL_CLIENT_CERT'" on Google, but all of them are either occurrences of the default configuration file (explaining that ExportCertData generates the input for SSL_CLIENT_CERT and SSL_SERVER_CERT) or concerned with handing the certificate through a proxy to a backend server, which doesn't apply to my situation. The mailing list archive didn't seem to have a matching problem either (and encumbers the search by removing the _'s from SSL_CLIENT_CERT' :P). I would be grateful for any pointers towards how to implement this rule or a specification as to how SSL_CLIENT_CERT is formatted (i.e. how the reference file/data should look). The versions used: # openssl version OpenSSL 0.9.8g 19 Oct 2007 # apache2 -v Server version: Apache/2.2.8 (Ubuntu) Server built: Jun 18 2009 08:45:39 Apache/2.2.8 (Ubuntu) DAV/2 SVN/1.4.6 mod_jk/1.2.25 mod_python/3.3.1 Python/2.5.2 PHP/5.2.4-2ubuntu5.6 with Suhosin-Patch mod_ssl/2.2.8 OpenSSL/0.9.8g mod_perl/2.0.3 Perl/v5.8.8 Server at * Port 443 Many thanks in advance! Best regards, --Christoph Schmidt