Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 98139 invoked from network); 18 Dec 2007 14:13:18 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 18 Dec 2007 14:13:18 -0000 Received: (qmail 75650 invoked by uid 500); 18 Dec 2007 14:13:05 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 75303 invoked by uid 500); 18 Dec 2007 14:13:04 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 75292 invoked by uid 99); 18 Dec 2007 14:13:04 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Dec 2007 06:13:04 -0800 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of shenson@oss-institute.org designates 67.18.157.234 as permitted sender) Received: from [67.18.157.234] (HELO ns1.oss-institute.org) (67.18.157.234) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 18 Dec 2007 14:12:39 +0000 Received: from [80.177.30.10] (helo=[192.168.7.8]) by ns1.oss-institute.org with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.66) (envelope-from ) id 1J4d1T-0007VZ-F7 for dev@httpd.apache.org; Tue, 18 Dec 2007 08:02:15 -0600 Message-ID: <4767D571.3040707@oss-institute.org> Date: Tue, 18 Dec 2007 14:13:05 +0000 From: Dr Stephen Henson User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: dev@httpd.apache.org Subject: Re: SSL client certificate extensions requirements backport References: <4767CADB.3020009@bee-ware.net> In-Reply-To: <4767CADB.3020009@bee-ware.net> X-Enigmail-Version: 0.95.5 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - ns1.oss-institute.org X-AntiAbuse: Original Domain - httpd.apache.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - oss-institute.org X-Source: X-Source-Args: X-Source-Dir: X-Virus-Checked: Checked by ClamAV on apache.org Yann wrote: > Hi, > > The joined patch allows the use of client certificate extensions values > (by long/short name or OID) in > the mod_ssl/SSLRequire directive. > > This functionnality is available in the 2.2.x and trunk branches but > hasn't been backported > in the 2.0.61, while this can be a very usefull feature (at least we > need it for our product). > > The backport is taken from trunk since it allows the use of long/short > extensions names and it takes into account the token-name change done > between 2.2.x and trunk (OID became PeerExtList): the patch allows both > names to be used so that configuration files won't need changes. > > Any hope this could be part of the 2.0.x branch so I won't need to patch > the official release ? > Some comments from an OpenSSL perspective... well also as the author of the OpenSSL X509v3 extension parsing code ;-) Iterating through extensions can be done more cleanly (i.e. avoiding access to internal structures) using X509_get_ext_by_OBJ(). Similarly you should obtain the value field of an X509_EXTENSION structure using X509_EXTENSION_get_data(). The use of X509V3_EXT_print() for this purpose is problematical. It is intended to produce a human readable version of an extension. The output format is not cast in stone and as such may change from one version of OpenSSL to another to produce a more readable output. That can cause problems when an attempt is made to parse its output or even a security concern. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: shenson@drh-consultancy.co.uk, PGP key: via homepage.