On 07/31/2014 03:35 AM, Amos Jeffries wrote:
Hi Christos,
Can you confirm or deny for me that these %USER_CERT_* macros map to the
%ssl::>cert_* logformat codes?
Not exactly.
- The %ssl::>cert_subject is equivalent to the %USER_CERT_DN external
acl macro
- The %ssl::>cert_issuer is equivalent to the %USER_CA_CERT_DN
Their existence is one of the outstanding issues with external_acl_type
upgrade to logformat.
The certificate and certificate issuer subjects are in the form:
C=GR, ST=ATTIKI, L=Athens, O=ChTsanti, OU=Admin, CN=fortune
The %USER_CERT_* and %USER_CA_CERT_* external acl macros designed to
return fields of the subject. For example someone can use:
%USER_CERT_CN or %USER_CA_CERT_O
The DN suffix means all the subject
The %ssl::>cert_subject and %ssl::>cert_issuer log formatting codes
return the cert and issuer subjects.
We need to support arguments in %ssl::>cert_subject and
%ssl::>cert_issuer to have similar functionality with external acl. For
example:
%{CN}ssl::>cert_subject
%{CN}ssl::>cert_issuer
%{DN}ssl::>cert_subject
Cheers
Amos
On 31/07/2014 3:31 a.m., Christos Tsantilas wrote:
------------------------------------------------------------
revno: 13517
committer: Christos Tsantilas <chtsa...@users.sourceforge.net>
branch nick: trunk
timestamp: Wed 2014-07-30 18:31:10 +0300
message:
Fix %USER_CA_CERT_* and %CA_CERT_ external_acl formating codes
* The attribute part of the %USER_CA_CERT_xx and %CA_CERT_xx formating
codes
is not parsed correctly, make these formating codes useless.
* The %USER_CA_CERT_xx documented wrongly
modified:
src/cf.data.pre
src/external_acl.cc