Yann wrote: > Hi, > > The joined patch allows the use of client certificate extensions values > (by long/short name or OID) in > the mod_ssl/SSLRequire directive. > > This functionnality is available in the 2.2.x and trunk branches but > hasn't been backported > in the 2.0.61, while this can be a very usefull feature (at least we > need it for our product). > > The backport is taken from trunk since it allows the use of long/short > extensions names and it takes into account the token-name change done > between 2.2.x and trunk (OID became PeerExtList): the patch allows both > names to be used so that configuration files won't need changes. > > Any hope this could be part of the 2.0.x branch so I won't need to patch > the official release ? >
Some comments from an OpenSSL perspective... well also as the author of the OpenSSL X509v3 extension parsing code ;-) Iterating through extensions can be done more cleanly (i.e. avoiding access to internal structures) using X509_get_ext_by_OBJ(). Similarly you should obtain the value field of an X509_EXTENSION structure using X509_EXTENSION_get_data(). The use of X509V3_EXT_print() for this purpose is problematical. It is intended to produce a human readable version of an extension. The output format is not cast in stone and as such may change from one version of OpenSSL to another to produce a more readable output. That can cause problems when an attempt is made to parse its output or even a security concern. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
