I'm having trouble with Apache 2.2 and the small documentation that I can find for the file function of SSLRequire. I'm trying to check the email property of the client certificate in a request using SSLRequire.
The following option in httpd.conf file works well:
SSLRequire %{SSL_CLIENT_S_DN_Email} in { "mail@example.com" }
but as can I read in the documentation you can use a list of values for filter.
Quoting from the official documentation:
file(filename)- This function takes one string argument and expands to the contents of the file. This is especially useful for
matching this contents against a regular expression, etc.
So, following the documentation I put the following in the httpd.conf file:
SSLRequire %{SSL_CLIENT_S_DN_Email} in { file("/etc/httpd/mail-list") }
The file mail-list contains only one line with the content mail@example.com (trying to simulate the option that works without file).
But when I try to access to my HTTPS server I see the following in the logs:
Failed expression: %{SSL_CLIENT_S_DN_Email} in { file("/etc/httpd/mail-list") }
This message normally appears when the pattern can't be applied. Can someone help me here, how can I use this functionality?
Best Answer
According to this old thread on the apache-modssl mailing list,
file()reads the contents of the file into a single string, and so special characters (such as newlines) in the referenced file may break theSSLRequiresyntax.Given that this was posted by the original author of
mod_ssl, I'd trust this theory to be spot on.Try with the following contents in
/etc/httpd/mail-list:with no trailing newline