Restricting access by arbitrary certificate extension
Zhumabekov Yerden
Tue, 05 May 2009 21:52:03 -0700
mod_ssl can perform client authentication on certificate in
Apache and client authorization on certain certificate extensions. We
are setting up CA here and we want to restrict access to certain website
by checking the presence of certain certificate extension using its OID.
The syntax which mod_ssl is forcing us to use is the following:
<Location />
SSLRequire “some string” in OID(“1.2.3.4…..”)
</Location>
As you can see, we need to match this string exactly in extension’s
value. We can encounter problem with this, because this extension may
not be listed in openssl list of valid extensions
(crypto/objects/objects.h). As I learned the mod_ssl and openssl code,
mod_ssl would not be able to match the string because the object of this
OID does not have valid NID in openssl. OpenSSL seems incapable of
determining the type of arbitrary extension we want to use as
restricting factor. Hence, mod_ssl can not even extract its value from
certificate.
Well, I poked around the problem for some time and found no
other way than to patch mod_ssl by adding one new function in
ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()
and ssl_expr_eval_oid() but does not intend to extract the value of
certificate extension. I also added some change to ssl_expr_eval_comp(),
so if you supply the zero-length word in SSLRequire, it uses my new
function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
<Location />
SSLRequire “” in OID(“1.2.3.4…..”)
</Location>
If you are aware of more attractive and “right” way to make
it, please acknowledge. My patch for apache-2.2.11 is attached.
-- Zhumabekov Yerden
apache_oid_presence.patch.gz
Description: application/gzip
-
Restricting access by arbitrary certificate extension Zhumabekov Yerden