httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Madhusudan Mathihalli <mam...@gmail.com>
Subject Re: Use of X509_NAME_oneline in mod_ssl
Date Fri, 15 Oct 2004 22:41:59 GMT
On Fri, 15 Oct 2004 21:14:16 +0100, Joe Orton <jorton@redhat.com> wrote:
[SNIP]
> > Moreover, the man page for X509_NAME_oneline (with OpenSSL 0.9.7x)
> > says that the function is obsolete, and that we ought to use
> > X509_NAME_print_ex.
> 
> The RFC mentioned, RFC2253 is a mapping for DNs into a standard form for
> use with LDAP databases.  mod_ssl exports DNs for use in FakeBasicAuth,
> and in the SSL_*_DN variables (anywhere else too?); I don't see how
> these relate to LDAP?

Well.. for one use I have atleast 2 different customers who map the
information retrieved from a client certficate to the LDAP database.
Both of them came back with the same question: Does SSL_CLIENT_S_DN
conform to any known standard. The one standard I know for
representing DN are the 1779 and 2253. Are there any other standards 
- if so, please let me know for I'm unaware.

> 
> > The patch is pretty simple if we want to change mod_ssl to use the RFC
> > supported style. However, there are probably a lot of users who will
> > not be happy if we change it abruptly. Hence I propose that we add a
> > new SSL directive (SSLDNFormat or something like that) which allows
> > the user to configure the format he likes (default will be the non-RFC
> > compliant).
> 
> Which use of DNs do you want to change? Controlling these disparate uses
> of DNs from one config directive sounds confusing.

Okay - what do you suggest ?

Thanks
-Madhu

Mime
View raw message