1

I am working on a web service project which requires that clients connecting to my service authenticate themselves via X.509 certificates as part of a Mutual Authentication TLS negotiation. In addition to linking the client certificate to a specific PKI trust chain, my requirements dictate that I must verify specific values within the certificate. Specifically, the subject DN must contain one OU with a predetermined value, and the certificate must contain one subjectAltName with a different predetermined value in URI format.

I am using Apache httpd 2.4.6 on a CentOS 7 system, and am able to satisfy most of these requirements fairly easily with standard Apache configuration directives leveraging common mod_ssl variables, with one notable exception: I cannot seem to find a variable that allows me to access a subjectAltName value in URI format. Looking at the mod_ssl documentation found here:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

I can see variables for the following subjectAltName formats:

SSL_CLIENT_SAN_Email_n - Client certificate's subjectAltName extension entries of type rfc822Name

SSL_CLIENT_SAN_DNS_n - Client certificate's subjectAltName extension entries of type dNSName

SSL_CLIENT_SAN_OTHER_msUPN_n - Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3)

Given that URI is a distinct and valid format for subjectAltName values as defined in RFC 5280 (X.509/PKI) section 4.2.1.6, I'm at a loss for why mod_ssl would not provide access to subjectAltNames in this format. Is there a variable that provides this functionality which I am simply not seeing in the documentation?

roboscott
  • 19
  • 5
  • "why mod_ssl would not provide access to subjectAltNames in this format" Probably because on the web, 99.9999999% (more or less) certificates will use only type "DNS" in the SAN list. While other types exist, they are more targeting other uses. The fact it is not exposed through mod_ssl is probably just because noone had a need for it. You might need to update https://github.com/apache/httpd/blob/5f32ea94af5f1e7ea68d6fca58f0ac2478cc18c5/modules/ssl/ssl_engine_vars.c#L1109 as you can clearly see there that URI is not taken into account, and some other places and compile Apache. – Patrick Mevzek Feb 27 '19 at 17:06
  • Or don't do it at Apache level but in some application (or closer to Apache through a filter or an authorization module), as you can get access to the full certificate at least as PEM content in `SSL_CLIENT_CERT` and then you "just" need to parse it yourself. – Patrick Mevzek Feb 27 '19 at 17:08
  • Hi Patrick, this is the general impression that I'm getting as well. Frankly, I had never seen the URI Format used for subjectAltName until this case either. Fortunately, I am already forwarding along the SSL_CLIENT_CERT to my application layer for some additional operations, so your suggestion that I deal with it programmatically downstream may ultimately end up being my best/only solution here. I leave the question open for a bit to see if any additional insight pours in, just in case. – roboscott Feb 27 '19 at 17:31

1 Answers1

0

Further reviewing the mod_ssl source code, it is clear that extracting SAN values in URI format for use in variables is simply not currently supported, as noted by this comment:

        /*
         * Not implemented right now:
         * GEN_X400 (x400Address)
         * GEN_DIRNAME (directoryName)
         * GEN_EDIPARTY (ediPartyName)
         * GEN_URI (uniformResourceIdentifier)
         * GEN_IPADD (iPAddress)
         * GEN_RID (registeredID)
         */

in https://github.com/apache/httpd/blob/5f32ea94af5f1e7ea68d6fca58f0ac2478cc18c5/modules/ssl/ssl_util_ssl.c

As such, the answer to my question is apparently that there is not presently a variable I can use for this purpose, and fulfilling this requirement will necessitate a workaround (or an implementation of GEN_URI pushed to mod_ssl).

roboscott
  • 19
  • 5