Re: Restricting access by arbitrary certificate extension

Thu, 28 May 2009 08:42:55 -0700 

Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the 
deveopment list for Apache httpd, CC'ed.  (I'm quoting the full mail 
inline for reference of dev@ readers)

On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
>            mod_ssl can perform client authentication on certificate in  
> Apache and client authorization on certain certificate extensions. We  
> are setting up CA here and we want to restrict access to certain website  
> by checking the presence of certain certificate extension using its OID.  
> The syntax which mod_ssl is forcing us to use is the following:
>
>            <Location />
>            SSLRequire “some string” in OID(“1.2.3.4…..”)
>            </Location>
>
> As you can see, we need to match this string exactly in extension’s  
> value. We can encounter problem with this, because this extension may  
> not be listed in openssl list of valid extensions  
> (crypto/objects/objects.h). As I learned the mod_ssl and openssl code,  
> mod_ssl would not be able to match the string because the object of this  
> OID does not have valid NID in openssl. OpenSSL seems incapable of  
> determining the type of arbitrary extension we want to use as  
> restricting factor. Hence, mod_ssl can not even extract its value from  
> certificate.
>            Well, I poked around the problem for some time and found no  
> other way than to patch mod_ssl by adding one new function in  
> ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()  
> and ssl_expr_eval_oid() but does not intend to extract the value of  
> certificate extension. I also added some change to ssl_expr_eval_comp(),  
> so if you supply the zero-length word in SSLRequire, it uses my new  
> function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
>
>            <Location />
>            SSLRequire “” in OID(“1.2.3.4…..”)
>            </Location>
>
>            If you are aware of more attractive and “right” way to make  
> it, please acknowledge. My patch for apache-2.2.11 is attached.

I'd rather see a different syntax used for the new semantics, such as:

   SSLRequire has_oid("1.2.3.4")

though I'm not sure whether the SSLRequire parser can cope with that.

Regards, Joe

Reply via email to