On 07/31/2014 03:35 AM, Amos Jeffries wrote:
Hi Christos,

Can you confirm or deny for me that these %USER_CERT_* macros map to the
%ssl::>cert_* logformat codes?

Not exactly.
- The %ssl::>cert_subject is equivalent to the %USER_CERT_DN external acl macro
 - The %ssl::>cert_issuer is equivalent to the %USER_CA_CERT_DN


Their existence is one of the outstanding issues with external_acl_type
upgrade to logformat.

The certificate and certificate issuer subjects are in the form:
   C=GR, ST=ATTIKI, L=Athens, O=ChTsanti, OU=Admin, CN=fortune

The %USER_CERT_* and %USER_CA_CERT_* external acl macros designed to return fields of the subject. For example someone can use:
  %USER_CERT_CN or %USER_CA_CERT_O

The DN suffix means all the subject

The %ssl::>cert_subject and %ssl::>cert_issuer log formatting codes return the cert and issuer subjects. We need to support arguments in %ssl::>cert_subject and %ssl::>cert_issuer to have similar functionality with external acl. For example:
  %{CN}ssl::>cert_subject
  %{CN}ssl::>cert_issuer
  %{DN}ssl::>cert_subject



Cheers
Amos

On 31/07/2014 3:31 a.m., Christos Tsantilas wrote:
------------------------------------------------------------
revno: 13517
committer: Christos Tsantilas <chtsa...@users.sourceforge.net>
branch nick: trunk
timestamp: Wed 2014-07-30 18:31:10 +0300
message:
   Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes

     * The attribute part of the %USER_CA_CERT_xx and %CA_CERT_xx formating 
codes
       is not parsed correctly, make these formating codes useless.
     * The %USER_CA_CERT_xx documented wrongly
modified:
   src/cf.data.pre
   src/external_acl.cc




Reply via email to