Description
The DSF FHIR reverse proxy (fhir_proxy:2.1.0) rejects client certificates that do not contain a Country (C=) field in the Subject DN, even when the issuing CA is explicitly listed in SSL_EXPECTED_CLIENT_I_DN_CN_VALUES.
Effected DSF Version
- 2.1.0
- all with regex check of this env
To Reproduce
Tested configuration:
- SSL_EXPECTED_CLIENT_S_DN_C_VALUES = "'DE', 'GR'"
- SSL_EXPECTED_CLIENT_S_DN_C_VALUES = "'DE', ''"
- SSL_EXPECTED_CLIENT_S_DN_C_VALUES = ""
Steps to reproduce the behavior:
- Obtain a personal S/MIME certificate issued by GEANT S/MIME RSA 1 (a CA listed in the default SSL_EXPECTED_CLIENT_I_DN_CN_VALUES)
- Note that the certificate Subject DN contains only emailAddress=x.x@example.de — no C= field
- Configure and start the DSF FHIR reverse proxy with default settings
- Attempt to access /fhir/metadata using this certificate in a browser
Expected Behavior
The proxy accepts the certificate since the issuing CA is trusted and listed in SSL_EXPECTED_CLIENT_I_DN_CN_VALUES.
Actual Behavior:
Apache returns 403 Forbidden with AH01630: client denied by server configuration. The generated certificate_require_expr.conf contains:
Require expr "%{SSL_CLIENT_S_DN_C} in { 'DE', ... } && %{SSL_CLIENT_I_DN_CN} in { ... }"
Since SSL_CLIENT_S_DN_C is empty for certificates without a C= field, the expression evaluates to false regardless of the issuing CA.
Root Cause:
start.sh generates the Require expr with a mandatory SSL_CLIENT_S_DN_C check. The SSL_EXPECTED_CLIENT_S_DN_C_VALUES variable does not accept an empty string ('') — the regex validation in start.sh (is_comma_separated_list) rejects it.
Suggested fix:
Three options in order of preference:
Add SSL_EXPECTED_CLIENT_I_DN_C_VALUES – an optional variable to check the Country of the issuing CA instead of (or in addition to) the Subject Country. This is arguably more meaningful from a security perspective since the issuer is under controlled trust, whereas the Subject DN content depends on the CA's issuance policy.- Make
SSL_EXPECTED_CLIENT_S_DN_C_VALUES optional – if unset or empty, skip the Subject Country check entirely rather than failing startup. The current validation rejects empty values, forcing operators to always specify a Country even when their use case doesn't require it.
- Support a wildcard value (e.g. '*') in SSL_EXPECTED_CLIENT_S_DN_C_VALUES to explicitly opt out of the Subject Country check while keeping the variable required for clarity.
Option 1 and 2 can be combined: operators could check the issuer Country when Subject Country is not applicable.
Logs
FHIR Proxy:
# SSL_EXPECTED_CLIENT_S_DN_C_VALUES = "''"
May 26 08:19:59 z-dsfmb-1 dsf-proxy-dsf-proxy[28337]: Error: SSL_EXPECTED_CLIENT_S_DN_C_VALUES environment variable not set
# SSL_EXPECTED_CLIENT_S_DN_C_VALUES = "'DE', 'GR', ''"
May 26 08:22:26 z-dsfmb-1 dsf-proxy-dsf-proxy[52902]: Error: SSL_EXPECTED_CLIENT_S_DN_C_VALUES must be a comma-separated list of strings in single quotation marks
# SSL_EXPECTED_CLIENT_S_DN_C_VALUES = "'DE', 'GR'"
May 26 08:45:42 z-dsfmb-1 dsf-proxy-dsf-proxy[161190]: [Tue May 26 06:45:42.893727 2026] [authz_core:error] [pid 98:tid 104] [client 10.89.1.17:43394] AH01630: client denied by server configuration: /usr/local/apache2/htdocs/
Description
The DSF FHIR reverse proxy (fhir_proxy:2.1.0) rejects client certificates that do not contain a Country (C=) field in the Subject DN, even when the issuing CA is explicitly listed in SSL_EXPECTED_CLIENT_I_DN_CN_VALUES.
Effected DSF Version
To Reproduce
Tested configuration:
Steps to reproduce the behavior:
Expected Behavior
The proxy accepts the certificate since the issuing CA is trusted and listed in SSL_EXPECTED_CLIENT_I_DN_CN_VALUES.
Actual Behavior:
Apache returns 403 Forbidden with AH01630: client denied by server configuration. The generated certificate_require_expr.conf contains:
Require expr "%{SSL_CLIENT_S_DN_C} in { 'DE', ... } && %{SSL_CLIENT_I_DN_CN} in { ... }"Since SSL_CLIENT_S_DN_C is empty for certificates without a C= field, the expression evaluates to false regardless of the issuing CA.
Root Cause:
start.sh generates the Require expr with a mandatory
SSL_CLIENT_S_DN_Ccheck. TheSSL_EXPECTED_CLIENT_S_DN_C_VALUESvariable does not accept an empty string ('') — the regex validation in start.sh (is_comma_separated_list) rejects it.Suggested fix:
Three options in order of preference:
Add SSL_EXPECTED_CLIENT_I_DN_C_VALUES– an optional variable to check the Country of the issuing CA instead of (or in addition to) the Subject Country. This is arguably more meaningful from a security perspective since the issuer is under controlled trust, whereas the Subject DN content depends on the CA's issuance policy.SSL_EXPECTED_CLIENT_S_DN_C_VALUESoptional – if unset or empty, skip the Subject Country check entirely rather than failing startup. The current validation rejects empty values, forcing operators to always specify a Country even when their use case doesn't require it.Option 1 and 2 can be combined: operators could check the issuer Country when Subject Country is not applicable.
Logs
FHIR Proxy: