Re: [mod-security-users] How to "whitelist" browsers that use a valid client certificate
Brought to you by:
victorhora,
zimmerletw
From: Christian F. <chr...@ti...> - 2012-12-11 14:13:21
|
Hello Josh, On Tue, Dec 11, 2012 at 03:30:52PM +0200, Josh Amishav-Zlatin wrote: > > Could someone point me in the right direction so that Ii can: > > "whitelist" browsers that use a valid client certificate > > There is no direct way to do this. One way you could implement this is > to Enable 'SSLOptions +StdEnvVars' in your SSL configuration(note there may > be a performance penalty if enabled). Then create a ModSecurity rule to run > a Lua script to inspect the client certificate environment variables like > SSL_CLIENT_CERTBODY and verify that the cert belongs to a client you want > to whitelist. Did not Paul ask to whitelist those clients (browsers?) that have a valid client cert? If he delegates the checking of the cert to mod_ssl, then he should be able to use SSL_CLIENT_VERIFY (values: NONE, SUCCESS, GENEROUS or FAILED:reason) and disable the rule engine based on that. regs, Christian -- I wanted you to see what real courage is, instead of getting the idea that courage is a man with a gun in his hand. It's when you know you're licked before you begin, but you begin anyway and see it through no matter what. -- Harper Lee |