mod_ssl can perform client authentication on certificate in Apache and client authorization on certain certificate extensions. We are setting up CA here and we want to restrict access to certain website by checking the presence of certain certificate extension using its OID. The syntax which mod_ssl is forcing us to use is the following:

           <Location />
           SSLRequire “some string” in OID(“1.2.3.4…..”)
           </Location>

As you can see, we need to match this string exactly in extension’s value. We can encounter problem with this, because this extension may not be listed in openssl list of valid extensions (crypto/objects/objects.h). As I learned the mod_ssl and openssl code, mod_ssl would not be able to match the string because the object of this OID does not have valid NID in openssl. OpenSSL seems incapable of determining the type of arbitrary extension we want to use as restricting factor. Hence, mod_ssl can not even extract its value from certificate. Well, I poked around the problem for some time and found no other way than to patch mod_ssl by adding one new function in ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() and ssl_expr_eval_oid() but does not intend to extract the value of certificate extension. I also added some change to ssl_expr_eval_comp(), so if you supply the zero-length word in SSLRequire, it uses my new function instead of ssl_expr_eval_oid(). So, the new syntax is like this:

           <Location />
           SSLRequire “” in OID(“1.2.3.4…..”)
           </Location>

If you are aware of more attractive and “right” way to make it, please acknowledge. My patch for apache-2.2.11 is attached.

--
Zhumabekov Yerden

Attachment: apache_oid_presence.patch.gz
Description: application/gzip

Reply via email to