httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stephane Bailliez <sbaill...@apache.org>
Subject mod_ssl and critical extensions
Date Thu, 28 Apr 2005 15:50:50 GMT
Hi,


I'm facing an annoying issue during a PKI deployment and integration 
within an organization.

The CA is created with the authority key identifier set as a critical 
extension.

OpenSSL (including 0.9.7g) chokes (voluntarily) on critical extensions 
and as a default issue an error such as "Certificate Verification: Error 
(34): unhandled critical extension"

The piece of code involved is in crypto/x509/x509_vfy.c::check_chain_purpose

		if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
			&& (x->ex_flags & EXFLAG_CRITICAL))
			{
			ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
			ctx->error_depth = i;
			ctx->current_cert = x;
			ok=cb(0,ctx);
			if (!ok) goto end;
			}

There is the flag X509_V_FLAG_IGNORE_CRITICAL which can be set when 
creating the SSL context, unfortunately, mod_ssl does not support any 
options related to context flags in its configuration, thus it of course 
fails during authentication with the message above.

Is there any interest in adding SSL context options to mod_ssl, and if 
yes, what is the recommended way if it has been thought ?

Depending on planning pressure, I might be able to invest time in 
creating such a patch (even though the last time I did some C was about 
6  years ago, throwing out gdb and debugging httpd+openssl was already 
like discovering a new solar system :).

Patching mod_ssl is not an option right now for deployment, so we 
decided it was 'easier' to revoke the CA and all issued certificates and 
to create a new CA without the authority key identified set as a 
critical extension.

Cheers,

Stephane


Mime
View raw message