Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 09.11.2014 14:30, Graham Leggett wrote: > On 06 Nov 2014, at 8:05 AM, Kaspar Brand wrote: > >>> Is there another way to do this? >> >> "Manually" performing what certificateExactMatch is specifying, I would >> say - i.e., use the (SSL_CLIENT_M_SERIAL,SSL_CLIENT_I_DN) tuple as a >> unique ident

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 1 Nov 2014, at 12:41, Graham Leggett wrote: > > The use case this solves is that I want to uniquely identify a certificate > and store that identity in an LDAP directory. The most obvious solution - > just store the cert in the userCertificate attribute and do a direct binary > match - does

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 06 Nov 2014, at 8:05 AM, Kaspar Brand wrote: >> Is there another way to do this? > > "Manually" performing what certificateExactMatch is specifying, I would > say - i.e., use the (SSL_CLIENT_M_SERIAL,SSL_CLIENT_I_DN) tuple as a > unique identifier for a specific client certificate. Imagine I

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 06.11.2014 14:19, Dirk-Willem van Gulik wrote: > >> On 06 Nov 2014, at 14:14, Andreas B. wrote: >> >> Am 06.11.2014 um 08:34 schrieb Dirk-Willem van Gulik: On 06 Nov 2014, at 07:05, Kaspar Brand wrote: (i.e., we are again back at the point

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

> On 06 Nov 2014, at 14:14, Andreas B. wrote: > > Am 06.11.2014 um 08:34 schrieb Dirk-Willem van Gulik: >>> On 06 Nov 2014, at 07:05, Kaspar Brand >>> wrote: >>> 11.3.1 Certificate exact match … CertificateExactAssertion ::= SEQUENCE {

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

Am 06.11.2014 um 08:34 schrieb Dirk-Willem van Gulik: On 06 Nov 2014, at 07:05, Kaspar Brand wrote: 11.3.1 Certificate exact match … CertificateExactAssertion ::= SEQUENCE { serialNumber CertificateSerialNumber, issuerName } ... (i.e., we are again back at the point th

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

> On 06 Nov 2014, at 07:05, Kaspar Brand wrote: > >> 11.3.1 Certificate exact match >> … >> CertificateExactAssertion ::= SEQUENCE { >> serialNumber CertificateSerialNumber, >> issuerName } ... > (i.e., we are again back at the point that uniqueness of an X.509 > certificate

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 05.11.2014 14:26, Graham Leggett wrote: > The problem I am trying to solve is to find a practical way to > integrate an SSL client cert identity with LDAP, in such a way where > I can say “we recognise this certificate is mapped to that > capability”. I am struggling to find an accurate indicato

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 05 Nov 2014, at 11:04 AM, Kaspar Brand wrote: > Given that ssl_var_lookup() is available for use in other modules, and > provided that in addition SSL_CLIENT_S_DN_n, we would export an > additional variable with the chain length (SSL_CLIENT_CERT_CHAIN_LENGTH > or similar), wouldn't it be possi

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 02.11.2014 15:44, Graham Leggett wrote: > Currently the application in this case is mod_authnz_ldap. While it > is possible to build a complex expression to match a series of DNs, > you are limited in knowing the length of the chain in advance, and in > my case that isn’t possible - chains may b

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 02 Nov 2014, at 4:44 PM, Graham Leggett wrote: >> I don't dispute that such a string "can be stored in any DN formatted >> field in LDAP", but consider the use of the "name" RDN (OID 2.5.4.41) >> fairly nonstandard. X.520 defines "Name" as "the attribute supertype >> from which string attribut

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 02 Nov 2014, at 12:07 PM, Kaspar Brand wrote: > Assuming that mod_ssl exported the subject DNs as SSL_CLIENT_S_DN_0, > SSL_CLIENT_S_DN_1 etc., what would be left to the application is > assembling them properly (by prepending "name=" and inserting comma > separators) to get the string you're l

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 01.11.2014 13:41, Graham Leggett wrote: > The trouble with doing that is that it makes life really difficult to > match arbitrary certificate chains - you need to know in advance how > many certs are in each chain, and you need to perform a lot of > messing about to perform a match, and to ensur

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 01 Nov 2014, at 11:47 AM, Kaspar Brand wrote: > Feels like a fairly idiosyncratic solution to me (essentially sticking > multiple things together into a single environment variable, with the > [known] problems of how to separate them again / do proper matching in > the application). I would pr

Re: [Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

On 29.10.2014 16:40, Graham Leggett wrote: > The attached patch makes the variable SSL_CLIENT_CERT_SUBJECTS > available, which contains a list of subject DNs in each certificate > in the chain. It is designed to be able to match against a full > certificate chain where the subject and issuer of the

[Patch] mod_ssl SSL_CLIENT_CERT_SUBJECTS - access to full client certificate chain

Hi all, The attached patch makes the variable SSL_CLIENT_CERT_SUBJECTS available, which contains a list of subject DNs in each certificate in the chain. It is designed to be able to match against a full certificate chain where the subject and issuer of the certificate alone is not good enough t