httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: Restricting access by arbitrary certificate extension
Date Thu, 28 May 2009 17:00:09 GMT
Joe Orton wrote:
> Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the 
> deveopment list for Apache httpd, CC'ed.  (I'm quoting the full mail 
> inline for reference of dev@ readers)
> On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
>>            mod_ssl can perform client authentication on certificate in  
>> Apache and client authorization on certain certificate extensions. We  
>> are setting up CA here and we want to restrict access to certain website  
>> by checking the presence of certain certificate extension using its OID.  
>> The syntax which mod_ssl is forcing us to use is the following:
>>            <Location />
>>            SSLRequire “some string” in OID(“…..”)
>>            </Location>
>> As you can see, we need to match this string exactly in extension’s  
>> value. We can encounter problem with this, because this extension may  
>> not be listed in openssl list of valid extensions  
>> (crypto/objects/objects.h). As I learned the mod_ssl and openssl code,  
>> mod_ssl would not be able to match the string because the object of this  
>> OID does not have valid NID in openssl. OpenSSL seems incapable of  
>> determining the type of arbitrary extension we want to use as  
>> restricting factor. Hence, mod_ssl can not even extract its value from  
>> certificate.
>>            Well, I poked around the problem for some time and found no  
>> other way than to patch mod_ssl by adding one new function in  
>> ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()  
>> and ssl_expr_eval_oid() but does not intend to extract the value of  
>> certificate extension. I also added some change to ssl_expr_eval_comp(),  
>> so if you supply the zero-length word in SSLRequire, it uses my new  
>> function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
>>            <Location />
>>            SSLRequire “” in OID(“…..”)
>>            </Location>
>>            If you are aware of more attractive and “right” way to make  
>> it, please acknowledge. My patch for apache-2.2.11 is attached.
> I'd rather see a different syntax used for the new semantics, such as:
>    SSLRequire has_oid("")
> though I'm not sure whether the SSLRequire parser can cope with that.

I'm a bit confused by that description.

OpenSSL can access extensions which don't have a corresponding NID.

Matching an extension value by a string is an odd thing to do since and
extension can be a complex structure DER encoded.

It is generally impossible to determine the structure of an unknown extension
because its format is not well defined.


Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message