On Fri, Oct 15, 2004 at 10:17:19AM -0700, Madhusudan Mathihalli wrote: > The current mod_ssl uses X509_NAME_oneline to get a one-line ASCII > format of the DN. This however, is not compliant with the RFC - > checkout http://www.openssl.org/support/faq.html#USER13. > > Moreover, the man page for X509_NAME_oneline (with OpenSSL 0.9.7x) > says that the function is obsolete, and that we ought to use > X509_NAME_print_ex.
The RFC mentioned, RFC2253 is a mapping for DNs into a standard form for use with LDAP databases. mod_ssl exports DNs for use in FakeBasicAuth, and in the SSL_*_DN variables (anywhere else too?); I don't see how these relate to LDAP? > The patch is pretty simple if we want to change mod_ssl to use the RFC > supported style. However, there are probably a lot of users who will > not be happy if we change it abruptly. Hence I propose that we add a > new SSL directive (SSLDNFormat or something like that) which allows > the user to configure the format he likes (default will be the non-RFC > compliant). Which use of DNs do you want to change? Controlling these disparate uses of DNs from one config directive sounds confusing. joe
