Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail inline for reference of dev@ readers)
On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote: > mod_ssl can perform client authentication on certificate in > Apache and client authorization on certain certificate extensions. We > are setting up CA here and we want to restrict access to certain website > by checking the presence of certain certificate extension using its OID. > The syntax which mod_ssl is forcing us to use is the following: > > <Location /> > SSLRequire “some string” in OID(“1.2.3.4…..”) > </Location> > > As you can see, we need to match this string exactly in extension’s > value. We can encounter problem with this, because this extension may > not be listed in openssl list of valid extensions > (crypto/objects/objects.h). As I learned the mod_ssl and openssl code, > mod_ssl would not be able to match the string because the object of this > OID does not have valid NID in openssl. OpenSSL seems incapable of > determining the type of arbitrary extension we want to use as > restricting factor. Hence, mod_ssl can not even extract its value from > certificate. > Well, I poked around the problem for some time and found no > other way than to patch mod_ssl by adding one new function in > ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid() > and ssl_expr_eval_oid() but does not intend to extract the value of > certificate extension. I also added some change to ssl_expr_eval_comp(), > so if you supply the zero-length word in SSLRequire, it uses my new > function instead of ssl_expr_eval_oid(). So, the new syntax is like this: > > <Location /> > SSLRequire “” in OID(“1.2.3.4…..”) > </Location> > > If you are aware of more attractive and “right” way to make > it, please acknowledge. My patch for apache-2.2.11 is attached. I'd rather see a different syntax used for the new semantics, such as: SSLRequire has_oid("1.2.3.4") though I'm not sure whether the SSLRequire parser can cope with that. Regards, Joe ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager majord...@modssl.org