httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: SSL client certificate extensions requirements backport
Date Wed, 19 Dec 2007 14:25:27 GMT
Yann wrote:
> The changes regarding X509V3_EXT_print() seems more problematic since
> the extensions values are used in string
> comparison (strcmp and likes), hence the "human readable version", and
> the code is actually shared with the other
> expressions of the SSLRequire directive.

Well the OpenSSL extension print format is subject to change so any
parsing or comparison routines could be broken by that. As well as
readability changes new features are also added, for example print out
of the otherName type in subject alt name is an often requested addition.

There are the usual security issues of such things as embedded quotes
and linefeeds being misinterpreted.

> Do you mean SSLRequire treatment should specialy handle binary
> comparison for certificate extensions ?
> And a way to write it in the configuration file ...

A binary comparison would be difficult to handle because it would have
to effectively parse the ASN1 extension encoding manually.

Ideally we'd need a general purpose configurable mapping API where
selective parts of a certificate can be mapped to fixed format strings.
The options would vary depending on the extension type. OpenSSL would be
the best place for that though.

Dr Stephen N. Henson.
Core developer of the   OpenSSL project:
Freelance consultant see:
Email:, PGP key: via homepage.

View raw message