httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Fwd: [users@httpd] SSLRequire & UTF-8 characters
Date Wed, 17 Nov 2010 14:53:56 GMT


Hi Myles,

it might be appropriate to ping dev@ with this problem
I'm not sure if it's a bug or a feature.

So long,
i


----- "Myles Bunbury (Myles)" <myles.bunbury@alcatel-lucent.com> wrote:

> > Which version of OpenSSL do you have?
> 
> openssl-0.9.8e-12.el5_4.6
> xmlsec1-openssl-1.2.9-8.1.1
> 
> > What locale is your system running on?
> 
> $LANG = en_US.UTF-8


----- Forwarded Message -----
From: "Myles Bunbury (Myles)" <myles.bunbury@alcatel-lucent.com>
To: users@httpd.apache.org
Sent: Thursday, 11 November, 2010 9:33:37 PM
Subject: [users@httpd] SSLRequire & UTF-8 characters

I'm trying to setup a DN filter against a certificate that has UTF-8 characters in it.

The Subject DN for the incoming certificate is:
C=CA,ST=Province,L=City,O=Company,OU=Unit,CN=“Weird”@¿سǽ€.com

The filter I'm trying to use in the httpd configuration file is:
SSLRequire (%{SSL_CLIENT_S_DN} =~ m#^/.*CN=“Weird”@¿سǽ€.*$#i)

This pattern does work for me for other certificates that do not contain UTF-* characters.

After some investigation, I discovered that this line does successfully pick up the certificate:
SSLRequire (%{SSL_CLIENT_S_DN} =~ m#^/.*CN= \\x1C\\x00W\\x00e\\x00i\\x00r\\x00d \\x1D\\x00@\\x00\\xBF\\x063\\x01\\xFD
\\xAC\\x00.\\x00c\\x00o\\x00m.*$#i)

While that works for this particular case, I'm trying to develop something where the regex
string will be constructed based on an arbitrary certificate supplied at runtime.

Questions:
1) Is it possible to configure httpd to match UTF-8 characters without all the escaping?

2) If all the "\\x" escaping is necessary, why are there 3 spaces in the escaped string when
they're not present in the certificate? (One space is after CN=, one after \\x00d, and one
after \\xFD.)

Other relevant info:
Apache httpd v2.2.16
PCRE v6.6-2.el5_1.7

I also tried PCRE v8.10, but I did not note any change in behaviour.

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

Mime
View raw message