DO NOT REPLY [Bug 51174] New: SSLRequire predicates using OIDs unknown to openssl

bugzilla Mon, 09 May 2011 01:40:35 -0700

https://issues.apache.org/bugzilla/show_bug.cgi?id=51174


             Bug #: 51174
           Summary: SSLRequire predicates using OIDs unknown to openssl
           Product: Apache httpd-2
           Version: 2.2.17
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: minor
          Priority: P2
         Component: mod_ssl
        AssignedTo: [email protected]
        ReportedBy: [email protected]
    Classification: Unclassified


Created attachment 26975
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=26975
"works for me" patch

By calling X509V3_EXT_print() with a null flags argument in
modules/ssl/ssl_expr_eval.c: ssl_extlist_by_oid() it is not possible to express
conditions on arbitrary OIDs, as in 

SSLRequire file("/a/file") in OID("1.3.6.1.4.1.311.21.10")

I propose the attached patch to address the problem.

Be aware that the OID values in val_array are compared using strcmp() in
ssl_expr_eval_oid(), so a null byte may disrupt the check. I wasn't able to
find evidence about the chance of having a null byte in ASN.1, so the patch
only counts as a "works for me" solution.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

DO NOT REPLY [Bug 51174] New: SSLRequire predicates using OIDs unknown to openssl

Reply via email to