apachesslx509mod-ssl

How Can I Verify the Contents of a Subject Alternate Name in URI Format Using Apache mod_ssl Variables?

I am working on a web service project which requires that clients connecting to my service authenticate themselves via X.509 certificates as part of a Mutual Authentication TLS negotiation. In addition to linking the client certificate to a specific PKI trust chain, my requirements dictate that I must verify specific values within the certificate. Specifically, the subject DN must contain one OU with a predetermined value, and the certificate must contain one subjectAltName with a different predetermined value in URI format.

I am using Apache httpd 2.4.6 on a CentOS 7 system, and am able to satisfy most of these requirements fairly easily with standard Apache configuration directives leveraging common mod_ssl variables, with one notable exception: I cannot seem to find a variable that allows me to access a subjectAltName value in URI format. Looking at the mod_ssl documentation found here:

https://httpd.apache.org/docs/2.4/mod/mod_ssl.html

I can see variables for the following subjectAltName formats:

SSL_CLIENT_SAN_Email_n - Client certificate's subjectAltName extension entries of type rfc822Name

SSL_CLIENT_SAN_DNS_n - Client certificate's subjectAltName extension entries of type dNSName

SSL_CLIENT_SAN_OTHER_msUPN_n - Client certificate's subjectAltName extension entries of type otherName, Microsoft User Principal Name form (OID 1.3.6.1.4.1.311.20.2.3)

Given that URI is a distinct and valid format for subjectAltName values as defined in RFC 5280 (X.509/PKI) section 4.2.1.6, I'm at a loss for why mod_ssl would not provide access to subjectAltNames in this format. Is there a variable that provides this functionality which I am simply not seeing in the documentation?

Solution

  • Further reviewing the mod_ssl source code, it is clear that extracting SAN values in URI format for use in variables is simply not currently supported, as noted by this comment:

            /*
         * Not implemented right now:
         * GEN_X400 (x400Address)
         * GEN_DIRNAME (directoryName)
         * GEN_EDIPARTY (ediPartyName)
         * GEN_URI (uniformResourceIdentifier)
         * GEN_IPADD (iPAddress)
         * GEN_RID (registeredID)
         */

    in https://github.com/apache/httpd/blob/5f32ea94af5f1e7ea68d6fca58f0ac2478cc18c5/modules/ssl/ssl_util_ssl.c

    As such, the answer to my question is apparently that there is not presently a variable I can use for this purpose, and fulfilling this requirement will necessitate a workaround (or an implementation of GEN_URI pushed to mod_ssl).