httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zhumabekov Yerden <>
Subject Re: Restricting access by arbitrary certificate extension
Date Fri, 29 May 2009 03:54:03 GMT
> Joe Orton wrote:
> > Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the 
> > deveopment list for Apache httpd, CC'ed.  (I'm quoting the full mail 
> > inline for reference of dev@ readers)

JFYI, Zhumabekov is my last name. First one is Yerden. :)
Thanks for pointing me to the right place.
> > On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
> >>            mod_ssl can perform client authentication on certificate in  
> >> Apache and client authorization on certain certificate extensions. We  
> >> are setting up CA here and we want to restrict access to certain website  
> >> by checking the presence of certain certificate extension using its OID.  
> >> The syntax which mod_ssl is forcing us to use is the following:
> >>
> >>            <Location />
> >>            SSLRequire тАЬsome stringтАЭ in OID(тАЬ1.2.3.4тАж..тАЭ)
> >>            </Location>
> >>
> >> As you can see, we need to match this string exactly in extensionтАЩs  
> >> value. We can encounter problem with this, because this extension may  
> >> not be listed in openssl list of valid extensions  
> >> (crypto/objects/objects.h). As I learned the mod_ssl and openssl code,  
> >> mod_ssl would not be able to match the string because the object of this  
> >> OID does not have valid NID in openssl. OpenSSL seems incapable of  
> >> determining the type of arbitrary extension we want to use as  
> >> restricting factor. Hence, mod_ssl can not even extract its value from  
> >> certificate.
> >>            Well, I poked around the problem for some time and found no  
> >> other way than to patch mod_ssl by adding one new function in  
> >> ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()  
> >> and ssl_expr_eval_oid() but does not intend to extract the value of  
> >> certificate extension. I also added some change to ssl_expr_eval_comp(),  
> >> so if you supply the zero-length word in SSLRequire, it uses my new  
> >> function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
> >>
> >>            <Location />
> >>            SSLRequire тАЬтАЭ in OID(тАЬ1.2.3.4тАж..тАЭ)
> >>            </Location>
> >>
> >>            If you are aware of more attractive and тАЬrightтАЭ way to
> >> it, please acknowledge. My patch for apache-2.2.11 is attached.
> > 
> > I'd rather see a different syntax used for the new semantics, such as:
> > 
> >    SSLRequire has_oid("")
> > 
> > though I'm not sure whether the SSLRequire parser can cope with that.
> > 
> I'm a bit confused by that description.
> OpenSSL can access extensions which don't have a corresponding NID.
> Matching an extension value by a string is an odd thing to do since and
> extension can be a complex structure DER encoded.
> It is generally impossible to determine the structure of an unknown extension
> because its format is not well defined.

Hello, Steve, thanks for the answer.

Let me explain. Imagine some information system, which authorizes users 
by examinig
their certificates for existence of some certain OID. If you look 
through modssl
configuration, you would see that there is no way for apache to 
authorize users like that.

The only thing modssl proposes is to make use of OID() directive, which 
is not useful
since, as you said above, the value of this extension can have some 
complex structure.
And if this OID does not have corresponding NID, using the OID() 
directive in
http-ssl.conf makes no sense at all. Just look through the code and you 
will understand.

Logically speaking, this kind of check looks much easier to understand 
than the existing
syntax proposed by modssl which makes no sense in many cases, just as 
you have
stated before. I wonder why it's still not implemented in modssl.

2Joe Orton: Yes, I considered changing the syntax parsing logic in 
modssl, but it goes
too deep in code. Since I needed a solution, I've constructed the 
simplest (but of couse
not the "rightest") patch.

Yerden Zhumabekov

View raw message