httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Victor Wagner <>
Subject Re: SSL client certificate extensions requirements backport
Date Thu, 20 Dec 2007 15:09:52 GMT
On 2007.12.20 at 13:53:12 +0000, Dr Stephen Henson wrote:

> Yes I noticed mod_ssl uses the obsolete X509_NAME_oneline() function all
> over the place.

Problem is that it was written long time ago, when no better way exist.
Someone have to go over the code and change it to more modern API.

And most of OpenSSL applications have same problem. I've already spend
considerable time convincing authors of various applications, that
OPENSSL_config (which is already here from 0.9.7) ought to be called.

May be its worth trouble to add __attribute__(deprecated) to the
definition of this function (for GCC target at least). It would make
developers of application aware that something changed.

Nobody would fix things which are not broken, but compile-time warning
may cause re-reading of documentation.

> Some applications (arguably wrongly) use the output of
> X509_NAME_oneline() and strcmp() and friends for access control
> purposes. If we changed the format those would be broken by the change.

Really, this is not a big trouble. Typically, one expects that
when new version of application is installed (and it would require new
version of application, at least new version of package,
to switch to newer libraries - typically
distribution allow to install several libcrypto versions simultaneously)
some config files would be broken and need adaptation to new version.

If some tool to convert old access lists to new format would be
provided, most system administrators would respect change of unreadable
escapes into nice readable UTF-8.

I already have some perl code to convert output of X509_NAME_oneline
in index.txt files of OpenSSL ca command into readable form.
BTW, openssl ca command honor config file parameter utf8=yes, and might
be changed to use better functions IF THIS PARAMETER IS SET just now. 

Concerning Apache which uses a lot of environment variables to export
certificate information to scripts, may be it is worth looking to
PostgreSQL (8.2+) contrib ssl_info module. 
It does almost same thing - gives access to client certificate info
for informational purpose to triggers and stored procedures.

Although it doesn't deal with extensions yet.

View raw message