httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dr Stephen Henson <>
Subject Re: Restricting access by arbitrary certificate extension
Date Fri, 29 May 2009 16:55:08 GMT
Zhumabekov Yerden wrote:
> No, I just want to check if the user certificate
> contains extension _using_ its OID.
> OID() function (the one implemented in modssl)
> can only extract the values of certificate
> extension which is familiar to openssl.
> For example, let you have some arbitrary
> extension and its OID is "". Since
> OpenSSL doesn't have this OID listed in its
> header files, it will not be able to read
> the value of this extension in certificate.
> But, if you supply
> SSLRequire "some string in my extension" in OID("")
> normally, mod_ssl will say "there is no such
> extension in certificate, _because_ I cannot
> read it" instead of "there is extension of
> this OID in certificate, _but_ I cannot read
> it".
> I just want to have some directive in
> configuration file which is useful to
> check _if_ the extension of certain OID
> is present in user's supplied certificate.
> That's simple, but mod_ssl cannot do
> that simple check.

Ah I see. The code in the trunk seems to have this functionality already: it
uses ASN1_STRING_print if X509V3_EXT_print fails. I'd guess this is to mirror
the behaviour of X509V3_extensions_print in OpenSSL.

There are other ways of doing things though. The default behaviour is to return
an error with an unsupported or invalid extension. By passing an appropriate
flag to X509V3_EXT_print it can print out a warning message, ASN1 parse the
result or perform a hex dump of the encoded value.

I'd say ASN1 parse is probably the most appropriate thing to do or possibly have
a configuration option.

Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute:
OpenSSL Core team:

View raw message