httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain
Date Sat, 01 Nov 2014 09:47:03 GMT
On 29.10.2014 16:40, Graham Leggett wrote:
> The attached patch makes the variable SSL_CLIENT_CERT_SUBJECTS
> available, which contains a list of subject DNs in each certificate
> in the chain. It is designed to be able to match against a full
> certificate chain where the subject and issuer of the certificate
> alone is not good enough to identify a certificate uniquely.

Does this relate to your post from January [1]?

> The subject DNs are themselves escaped and used to create a new DN as
> follows: name=subject1,name=subject2,name=subject3 (and so on).

Feels like a fairly idiosyncratic solution to me (essentially sticking
multiple things together into a single environment variable, with the
[known] problems of how to separate them again / do proper matching in
the application). I would prefer these DNs being exported to the
environment in the same way as it is currently done with the
SSL_CLIENT_CERT_CHAIN_n variables.

Kaspar


[1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201401.mbox/%3C1A61F988-F33B-4E65-A141-E4516F8424CC%40sharp.fm%3E

Mime
View raw message