httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: Restricting access by arbitrary certificate extension
Date Fri, 29 May 2009 13:20:12 GMT
Zhumabekov Yerden wrote:
> Let me explain. Imagine some information system, which authorizes users
> by examinig
> their certificates for existence of some certain OID. If you look
> through modssl
> configuration, you would see that there is no way for apache to
> authorize users like that.
> The only thing modssl proposes is to make use of OID() directive, which
> is not useful
> since, as you said above, the value of this extension can have some
> complex structure.
> And if this OID does not have corresponding NID, using the OID()
> directive in
> http-ssl.conf makes no sense at all. Just look through the code and you
> will understand.

You mean an extension which contains a specific OID as its value?

> Logically speaking, this kind of check looks much easier to understand
> than the existing
> syntax proposed by modssl which makes no sense in many cases, just as
> you have
> stated before. I wonder why it's still not implemented in modssl.

The code looks a little unusual to me. The loop could be simplified by use of
X509_get_ext_by_OBJ() and avoid the direct structure access of ext->obj or just
use of X509_EXTENSION_get_object(). The variable oid needs to be freed otherwise
it will leak memory if the object doesn't have a corresponding NID.

Machine parsing human readable text output has the usual disclaimers. You'd
better be *very* sure string tricks can't trip you up.

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message