httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kaspar Brand <httpd-dev.2...@velox.ch>
Subject Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain
Date Wed, 05 Nov 2014 09:04:59 GMT
On 02.11.2014 15:44, Graham Leggett wrote:
> Currently the application in this case is mod_authnz_ldap. While it
> is possible to build a complex expression to match a series of DNs,
> you are limited in knowing the length of the chain in advance, and in
> my case that isn’t possible - chains may be of arbitrary length.

Given that ssl_var_lookup() is available for use in other modules, and
provided that in addition SSL_CLIENT_S_DN_n, we would export an
additional variable with the chain length (SSL_CLIENT_CERT_CHAIN_LENGTH
or similar), wouldn't it be possible to do the manipulations required by
mod_authnz_ldap in that module? mod_ssl really seems the wrong place to
me for implementing application-specific requirements (such as these
"matryoshka doll"-style subject DNs).

Kaspar

Mime
View raw message