httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Igor Galić <i.ga...@brainsware.org>
Subject Re: [users@httpd] SSLRequire & UTF-8 characters
Date Tue, 16 Nov 2010 22:31:02 GMT

----- "Myles Bunbury (Myles)" <myles.bunbury@alcatel-lucent.com> wrote:

> I'm trying to setup a DN filter against a certificate that has UTF-8
> characters in it.
> 
> The Subject DN for the incoming certificate is:
> C=CA,ST=Province,L=City,O=Company,OU=Unit,CN=“Weird”@¿سǽ€.com
> 
> The filter I'm trying to use in the httpd configuration file is:
> SSLRequire (%{SSL_CLIENT_S_DN} =~ m#^/.*CN=“Weird”@¿سǽ€.*$#i)
> 
> This pattern does work for me for other certificates that do not
> contain UTF-* characters.
> 
> After some investigation, I discovered that this line does
> successfully pick up the certificate:
> SSLRequire (%{SSL_CLIENT_S_DN} =~ m#^/.*CN=
> \\x1C\\x00W\\x00e\\x00i\\x00r\\x00d
> \\x1D\\x00@\\x00\\xBF\\x063\\x01\\xFD
> \\xAC\\x00.\\x00c\\x00o\\x00m.*$#i)
> 
> While that works for this particular case, I'm trying to develop
> something where the regex string will be constructed based on an
> arbitrary certificate supplied at runtime.
> 
> Questions:
> 1) Is it possible to configure httpd to match UTF-8 characters without
> all the escaping?
> 
> 2) If all the "\\x" escaping is necessary, why are there 3 spaces in
> the escaped string when they're not present in the certificate? (One
> space is after CN=, one after \\x00d, and one after \\xFD.)
> 
> Other relevant info:
> Apache httpd v2.2.16
> PCRE v6.6-2.el5_1.7

Which version of OpenSSL do you have?
What locale is your system running on?

> I also tried PCRE v8.10, but I did not note any change in behaviour.


So long,
i

-- 
Igor Galić

Tel: +43 (0) 664 886 22 883
Mail: i.galic@brainsware.org
URL: http://brainsware.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message