We are trying to set up mod_ssl to get some "proper"
access to two classes of users.

First, everybody must use client certs (signed by our
CA). Client cert control is okay and works properly
(SSLVerifyClient require, SSLVerifyDepth 1 and such).

Now, we have two classes of client certs, based on the
OU. Say, OU="Class 1" and OU="Class 2". We want to
allow :
- all users with "Class 1" certificates, and
- users with "Class 2" certs ONLY when they are
browsing from some IP addresses.

Those IP addresses are not known in advance, and may
be dynamic. Let's say we have an external list
(updated by some mean, irrelevant to our problem). How
can we check this list and correlate it with the OU
from the client cert ? We thought that something like

SSLRequire %{SSL_CLIENT_S_DN_OU} eq "Class 1"
or ( %{SSL_CLIENT_S_DN_OU} eq "Class 2"
and %{REMOTE_ADDR} in { file("/tmp/list") } )

(where /tmp/list is a list of allowed IP addresses)
would be the way to go, but this utterly fails.
Mod_ssl properly opens the file (strace shows that),
but even when the browser is coming from an IP in the
list, no access is granted.

Is this a problem coming from the file's content
(syntax ?), or are we wrong in our thinking ? And
then, what would be the way to go ?

-- FdL

Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicitÚs
http://mail.yahoo.fr Yahoo! Mail
__________________________________________________ ____________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org