httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <shen...@oss-institute.org>
Subject Re: SSL client certificate extensions requirements backport
Date Thu, 20 Dec 2007 16:55:43 GMT
Victor Wagner wrote:
> On 2007.12.20 at 13:53:12 +0000, Dr Stephen Henson wrote:
> 
>> Yes I noticed mod_ssl uses the obsolete X509_NAME_oneline() function all
>> over the place.
> 
> Problem is that it was written long time ago, when no better way exist.
> Someone have to go over the code and change it to more modern API.
> 

Well it depends what you want to do. A (usually) readable representation
of an X509 DN would have needed X509_NAME_oneline() back then.

A portable way of using DNs for access control could use either the DN
encoding or the hash of its encoding. That would've retained
compatibility from SSLeay until the present day. It isn't exactly
readable though...

> And most of OpenSSL applications have same problem. I've already spend
> considerable time convincing authors of various applications, that
> OPENSSL_config (which is already here from 0.9.7) ought to be called.
> 

And mod_ssl is one such application. I've submitted a patch that does
this properly in Bug #43931.

OPENSSL_config() itself has been about for some years now. It is
designed to avoid the very problem of applications having to keep up
with all manner of weird new configuration options and to just delegate
those to OpenSSL itself.

> 
>> Some applications (arguably wrongly) use the output of
>> X509_NAME_oneline() and strcmp() and friends for access control
>> purposes. If we changed the format those would be broken by the change.
> 
> Really, this is not a big trouble. Typically, one expects that
> when new version of application is installed (and it would require new
> version of application, at least new version of package,
> to switch to newer libraries - typically
> distribution allow to install several libcrypto versions simultaneously)
> some config files would be broken and need adaptation to new version.
> 
> If some tool to convert old access lists to new format would be
> provided, most system administrators would respect change of unreadable
> escapes into nice readable UTF-8.
> 
> I already have some perl code to convert output of X509_NAME_oneline
> in index.txt files of OpenSSL ca command into readable form.
> BTW, openssl ca command honor config file parameter utf8=yes, and might
> be changed to use better functions IF THIS PARAMETER IS SET just now. 
> 

Unfortunately the X509_NAME_oneline() format is ambiguous meaning that
some DNs cannot be converted to a correct new form. Use of multi valued
AVAs is one such example but there are many other types of DN which are
problematical.

That's just those that do this by accident. Maliciously crafted DNs
would be much worse.

I had considerd a configuration option to change the format of
X509_NAME_oneline() through the autoconfig mechanism. That wouldn't
change the default but configurations that want or need an alternative
form could use autoconfig to do it.

Of course that would need autoconfig support in the application as well...

Steve.
-- 
Dr Stephen N. Henson.
Core developer of the   OpenSSL project: http://www.openssl.org/
Freelance consultant see: http://www.drh-consultancy.co.uk/
Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.

Mime
View raw message