SSLRequire - file function

Question

I'm having trouble with Apache 2.2 and the small documentation that I can find for the file function of SSLRequire. I'm trying to check the email property of the client certificate in a request using SSLRequire.

The following option in httpd.conf file works well:

SSLRequire %{SSL_CLIENT_S_DN_Email} in { "mail@example.com" }

but as can I read in the documentation you can use a list of values for filter.

Quoting from the official documentation:

file(filename)- This function takes one string argument and expands to the contents of the file. This is especially useful for matching this contents against a regular expression, etc.

So, following the documentation I put the following in the httpd.conf file:

SSLRequire %{SSL_CLIENT_S_DN_Email} in { file("/etc/httpd/mail-list") }

The file mail-list contains only one line with the content mail@example.com (trying to simulate the option that works without file).

But when I try to access to my HTTPS server I see the following in the logs:

Failed expression: %{SSL_CLIENT_S_DN_Email} in { file("/etc/httpd/mail-list") }

This message normally appears when the pattern can't be applied. Can someone help me here, how can I use this functionality?

The expression you say works has a `#` in front of it: `#SSLRequire`, which makes it a comment. Are you sure it works? Is the `#` really there in your config? — Andrew Schulman, Apr 28 '15 at 12:32
Is /etc/httpd/mail-list readable by the Apache user (apache or www-data)? — Andrew Schulman, Apr 28 '15 at 12:33

score 2 · Answer 1 · answered Apr 28 '15 at 12:41

2

According to this old thread on the apache-modssl mailing list, file() reads the contents of the file into a single string, and so special characters (such as newlines) in the referenced file may break the SSLRequire syntax.

Given that this was posted by the original author of mod_ssl, I'd trust this theory to be spot on.

Try with the following contents in /etc/httpd/mail-list:

"mail@example.com","mail@example.org","mail2@example.org"

with no trailing newline

answered Apr 28 '15 at 12:41

Mathias R. Jessen

25,161
4
63
95

I've tested it and it doesn't work...my apache version is 2.2.15. Anything more that I have to take into account?. Thanks! – Jos3k4 Apr 28 '15 at 13:59
@Jos3k4 Not AFAIK. Still the same error ("Failed expression:")? – Mathias R. Jessen Apr 28 '15 at 14:05
Yes, exactly the same. – Jos3k4 Apr 28 '15 at 14:05

score 0 · Answer 2 · answered Jan 30 '18 at 17:51

file() does read the contents of the file into a single string (as M. Jessen noted). However, that doesn't mean that you can use apache expression syntax inside this file. You will need to use a regular expression to search inside the string, as apache doesn't seem to be able to split a string based on a delimiter.

As a workaround you can use AuthBasicFake and use the variable in question as the basic auth username together with a normal basic auth provider.

SSLRequire - file function

2 Answers2