Yann wrote: > > The changes regarding X509V3_EXT_print() seems more problematic since > the extensions values are used in string > comparison (strcmp and likes), hence the "human readable version", and > the code is actually shared with the other > expressions of the SSLRequire directive. >
Well the OpenSSL extension print format is subject to change so any parsing or comparison routines could be broken by that. As well as readability changes new features are also added, for example print out of the otherName type in subject alt name is an often requested addition. There are the usual security issues of such things as embedded quotes and linefeeds being misinterpreted. > Do you mean SSLRequire treatment should specialy handle binary > comparison for certificate extensions ? > And a way to write it in the configuration file ... > A binary comparison would be difficult to handle because it would have to effectively parse the ASN1 extension encoding manually. Ideally we'd need a general purpose configurable mapping API where selective parts of a certificate can be mapped to fixed format strings. The options would vary depending on the extension type. OpenSSL would be the best place for that though. Steve. -- Dr Stephen N. Henson. Core developer of the OpenSSL project: http://www.openssl.org/ Freelance consultant see: http://www.drh-consultancy.co.uk/ Email: [EMAIL PROTECTED], PGP key: via homepage.
