httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <>
Subject Re: Use of X509_NAME_oneline in mod_ssl
Date Sat, 16 Oct 2004 06:58:57 GMT
On Fri, Oct 15, 2004 at 03:41:59PM -0700, Madhusudan Mathihalli wrote:
> Well.. for one use I have atleast 2 different customers who map the
> information retrieved from a client certficate to the LDAP database.
> Both of them came back with the same question: Does SSL_CLIENT_S_DN
> conform to any known standard. The one standard I know for
> representing DN are the 1779 and 2253. Are there any other standards 
> - if so, please let me know for I'm unaware.

As far as I'm aware, it's just a convention adopted by OpenSSL.

> > > The patch is pretty simple if we want to change mod_ssl to use the RFC
> > > supported style. However, there are probably a lot of users who will
> > > not be happy if we change it abruptly. Hence I propose that we add a
> > > new SSL directive (SSLDNFormat or something like that) which allows
> > > the user to configure the format he likes (default will be the non-RFC
> > > compliant).
> > 
> > Which use of DNs do you want to change? Controlling these disparate uses
> > of DNs from one config directive sounds confusing.
> Okay - what do you suggest ?

Changing just the _DN variable format with a config directive sounds OK. 
Adding new variables would be an alternative, but the names would
probably get *really* ugly...


View raw message