httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch>
Subject Re: Fwd: [users@httpd] SSLRequire & UTF-8 characters
Date Mon, 20 Dec 2010 21:28:29 GMT
On Monday 20 December 2010, Kaspar Brand wrote:

> > Instead of an SSLOption (which would require a request_rec to
> > lookup), I have implemented a per-vhost option for restoring
> > compatibility.
> Could we pass the request_rec from ssl_var_lookup() to
> ssl_var_lookup_ssl(), and from there on to
> ssl_var_lookup_ssl_cert() etc.? SSLOptions seems like the best
> place to me for such an option, it's where I would expect it to
> find as an httpd user.

The problem is that ssl_var_lookup can be called for an open 
connection before the request_rec is created. In the current trunk, 
this does not seem to be done for the SSL_*_DN variables, but it is 
done for other variables like SSL_CLIENT_S_DN_CN. So the question is: 
Do we accept that modules which may call ssl_var_lookup for SSL_*_DN 
without request_rec may get the result in an unexpected format?

> I would name the option LegacyDNStringFormat (instead of
> "...VarFormat").
> > Can
> > we reject such certificates somehow? Should we close the
> > connection if we see such a thing in ssl_var_lookup_ssl_cert? Or
> > should we try to escape the 0-byte in the variable?
> The latter. I suggest using ASN1_STRING_print_ex() with
> ASN1_STRFLGS_RFC2253 & ~ASN1_STRFLGS_ESC_MSB (will escape them as
> \0).

OK, makes sense.

View raw message