httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Zhumabekov Yerden <>
Subject Re: Restricting access by arbitrary certificate extension
Date Fri, 29 May 2009 17:17:18 GMT
Dr Stephen Henson пишет:
> Zhumabekov Yerden wrote:
>> I just want to have some directive in
>> configuration file which is useful to
>> check _if_ the extension of certain OID
>> is present in user's supplied certificate.
>> That's simple, but mod_ssl cannot do
>> that simple check.
> Ah I see. The code in the trunk seems to have this functionality already: it
> uses ASN1_STRING_print if X509V3_EXT_print fails. I'd guess this is to mirror
> the behaviour of X509V3_extensions_print in OpenSSL.
Oh, thanks. I will have a look at latest code.
> There are other ways of doing things though. The default behaviour is to return
> an error with an unsupported or invalid extension. By passing an appropriate
> flag to X509V3_EXT_print it can print out a warning message, ASN1 parse the
> result or perform a hex dump of the encoded value.
Well, actually, I don't care about the value of extension, I just want 
to know if it's there or not. :)
> I'd say ASN1 parse is probably the most appropriate thing to do or possibly have
> a configuration option.
Thanks, I'll dig it in that way.


View raw message