httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: mod_ssl: querying any certificate in the chain
Date Wed, 15 Jan 2014 16:36:41 GMT
On 14.01.2014 19:16, Graham Leggett wrote:
> Most specifically, I am after the DN of the root certificate in the chain, which in the
past was the issuer in the client certificate, but in an environment with intermediate certs
this is no longer valid.
> 
> Would a syntax like this make some sense?
> 
> SSL_CLIENT_S_DN_n - Give me the subject DN of the nth certificate in the chain.
> SSL_CLIENT_S_DN_x509_n - Give me the element of the subject DN of the nth certificate
in the chain.

Could be a useful enhancement, yes. The numbering should match the one
for the CLIENT_CERT_CHAIN variables, I think, and both the CLIENT_S_*
and the CLIENT_I_* things should be available (only with SSLOptions
ExportCertData perhaps?).

Note that the last cert of the chain, which mod_ssl currently grabs my
means of SSL_get_peer_cert_chain() is often not the root... browsers
usually leave it out (see RFC 5246 section 7.4.6/7.4.2, "MAY be omitted
from the chain"), or in some cases do not provide any intermediate CA
certificates at all.

If you really want to determine what root a successfully verified client
certificate (SSL_CLIENT_VERIFY=SUCCESS) chains to, you would have to use
a technique similar to the one sketched in [1] and followups (i.e., use
X509_verify_cert).

Kaspar

[1]
https://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%3C4E64F9A3.6040304@velox.ch%3E

Mime
View raw message