httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: mod_ssl and critical extensions
Date Tue, 03 May 2005 16:02:03 GMT
Stephane Bailliez wrote:
> Hi,
> 
> 
> I'm facing an annoying issue during a PKI deployment and integration 
> within an organization.
> 
> The CA is created with the authority key identifier set as a critical 
> extension.
> 
> OpenSSL (including 0.9.7g) chokes (voluntarily) on critical extensions 
> and as a default issue an error such as "Certificate Verification: Error 
> (34): unhandled critical extension"
> 
> The piece of code involved is in 
> crypto/x509/x509_vfy.c::check_chain_purpose
> 
>         if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
>             && (x->ex_flags & EXFLAG_CRITICAL))
>             {
>             ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
>             ctx->error_depth = i;
>             ctx->current_cert = x;
>             ok=cb(0,ctx);
>             if (!ok) goto end;
>             }
> 
> There is the flag X509_V_FLAG_IGNORE_CRITICAL which can be set when 
> creating the SSL context, unfortunately, mod_ssl does not support any 
> options related to context flags in its configuration, thus it of course 
> fails during authentication with the message above.
> 
> Is there any interest in adding SSL context options to mod_ssl, and if 
> yes, what is the recommended way if it has been thought ?

Its a pretty dumb idea to ignore critical extensions, so I don't think 
this sounds like a great idea...

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Mime
View raw message