Joe Orton wrote:
On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Ströder wrote:
In the current 2.x mod_ssl sources, UID maps to:
#ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
{ "UID", NID_x500UniqueIdentifier },
#else /* old name, OpenSSL < 0.9.7 */
{ "UID", NID_uniqueIdentifier },
#endif
Hmm, the user ID is already stored by mod_ssl with attribute name "UID" in
env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
attribute type seems to be interpreted as UID is it safe to assume that the
cert contains the right OID?
No, unfortunately there is disparity between mod_ssl and OpenSSL here.
(I don't know why; I think historically the short name mappings were not
unique in OpenSSL possibly, something like that)
OpenSSL uses "UID" for NID_userId (OID mapping an exercise for the
reader, see obj_mac.h in OpenSSL ;). So in fact that's the tag used for
that RDN.
Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute type
'uid' specified for pilotPerson). That seems right to me since it's
compliant with RFC 4514 which contains a table of short and long
attribute type names and their OIDs (end of chapter 3).
But now I don't understand the #ifdef-statement mentioned above. From my
understanding it MUST NOT reference NID_x500UniqueIdentifier. It MUST
reference NID_userId. To me that looks clearly like a bug in mod_ssl.
Ciao, Michael.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]