diff options
| author | Martin Kraemer <martin@apache.org> | 2005-07-20 18:42:58 +0200 |
|---|---|---|
| committer | Martin Kraemer <martin@apache.org> | 2005-07-20 18:42:58 +0200 |
| commit | b5a3f87755a24db37f50773d0a40143180b92fca (patch) | |
| tree | f726fa55baf9dae5470234b286ffbc560b7e7a58 /docs/manual/mod/mod_ssl.xml | |
| parent | The arguments to require are case-sensitive, so that "Require User" and (diff) | |
| download | apache2-b5a3f87755a24db37f50773d0a40143180b92fca.tar.xz apache2-b5a3f87755a24db37f50773d0a40143180b92fca.zip | |
Collaborative work: (Thanks, dreid!)
Implement OID checking for mod_ssl. This code allows for checking of arbitrary client
certificate extensions by OID, in a syntax like:
SSLRequire "BaDCA Generated Certificate" in Oid("2.16.840.1.113730.1.13") \
|| "committers" in Oid("1.3.6.1.4.1.18060.1")
Note the following:
* A given OID can occur multiple times in one cert, with different values. Therefore
the OID function compares the left-hand string against each of the OID values,
until a complete match is found. If none patches, the result is FALSE
* The left hand side can be another expression, so can be a reference to a variable
or an file() invocation etc.
* The OID is also just a reference to a string, or function, or whatever.
* My manual description is very short. Someone else please help improve the description
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@219940 13f79535-47bb-0310-9956-ffa450edef68
Diffstat (limited to 'docs/manual/mod/mod_ssl.xml')
| -rw-r--r-- | docs/manual/mod/mod_ssl.xml | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index a184e85f66..e35b9a5383 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -1188,7 +1188,7 @@ boolean expression is true</description> <usage> <p> This directive specifies a general access requirement which has to be -fulfilled in order to allow access. It's a very powerful directive because the +fulfilled in order to allow access. It is a very powerful directive because the requirement specification is an arbitrarily complex boolean expression containing any number of access checks.</p> <note type="warning"> @@ -1216,6 +1216,7 @@ comp ::= word "<strong>==</strong>" word | word "<strong>eq</strong>" word | word "<strong>></strong>" word | word "<strong>gt</strong>" word | word "<strong>>=</strong>" word | word "<strong>ge</strong>" word | word "<strong>in</strong>" "<strong>{</strong>" wordlist "<strong>}</strong>" + | word "<strong>in</strong>" "<strong>OID(</strong>" word "<strong>)</strong>" | word "<strong>=~</strong>" regex | word "<strong>!~</strong>" regex @@ -1258,6 +1259,11 @@ SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \<br /> and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \<br /> or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/ </example> +<p>The <code>OID()</code> function expects to find zero or more instances +of the given OID in the client certificate, and compares the left-hand side +string against the value of matching OID attributes. Every matching OID is +checked, until a match is found. +</p> <p><em>Standard CGI/1.0 and Apache variables:</em></p> <pre> |