On 19.05.2014 16:58, Graham Leggett wrote:
> In httpd v2.4's mod_ssl I can access the various components of the
> subject and the issuer DN using SSL_CLIENT_S_DN_x509 and
> SSL_CLIENT_I_DN_x509.
>
> Is there a corresponding set of variables that can pull the same
> information out of the subjectAltName?
No, this would imply extending ssl_engine_vars.c to also process
information from the subjectAltName extension. What types of
subjectAltName entries are you most interested in? These are the
subjectAltName types defined by RFC 5280:
GeneralName ::= CHOICE {
otherName [0] OtherName,
rfc822Name [1] IA5String,
dNSName [2] IA5String,
x400Address [3] ORAddress,
directoryName [4] Name,
ediPartyName [5] EDIPartyName,
uniformResourceIdentifier [6] IA5String,
iPAddress [7] OCTET STRING,
registeredID [8] OBJECT IDENTIFIER }
I.e., it would probably be best to focus on common ones like
rfc822Name or dNSName, otherwise we might get lost in adding a plethora
of additional environment variables. Is client cert authentication your
use case, or in what context are you interested in this information?
Kaspar
