httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: SSLRequire: requiring a particular OID in extKeyUsage
Date Thu, 15 Oct 2009 12:49:59 GMT
On Fri, Oct 09, 2009 at 07:56:42PM +0200, Graham Leggett wrote:
> I am trying to solve the problem of limiting access to those who present
> a client cert containing a specific extKeyUsage OID.
> 
> So far, the config that I have for httpd-trunk is this:
> 
>     SSLRequire "1.3.6.1.5.5.7.3.4" in PeerExtList("2.5.29.37")
> 
> Stepping through the code in a debugger, the PeerExtList() returns a
> list containing just one single entry in the list: "A, B, C", when in
> theory, it should return an actual list "A, "B", "C".

Are you trying to match against the contents of the (single) extKeyUsage 
extension?  That isn't how PeerExtList works, or at least, was written 
and documented to work, AFAICT: PeerExtList will return a list of the 
value of each extension in the cert with the given OID.

Does that make sense?  This is just from reading the trunk code/docs, I 
may be missing something.

To solve your problem: parsing the string which OpenSSL spits out as a 
representation of the extKeyUsage list would sound a bit hacky.  I guess 
I'd recommend doing it as a set of custom variables:

   SSL_{CLIENT,SERVER}_EXT_KEYUSAGE_{CLIENT_AUTH,EMAIL_PROTECTION,...}

which evaluate to 0 or 1 depending on whether the indicated usage is 
present in the extKeyUsage extension.  Would something like that work?

Regards, Joe

Mime
View raw message