Joe Orton wrote:
> Zhumabekov - discussion of mod_ssl for httpd 2.x takes place on the
> deveopment list for Apache httpd, CC'ed. (I'm quoting the full mail
> inline for reference of dev@ readers)
>
> On Wed, May 06, 2009 at 10:49:46AM +0600, Zhumabekov Yerden wrote:
>> mod_ssl can perform client authentication on certificate in
>> Apache and client authorization on certain certificate extensions. We
>> are setting up CA here and we want to restrict access to certain website
>> by checking the presence of certain certificate extension using its OID.
>> The syntax which mod_ssl is forcing us to use is the following:
>>
>> <Location />
>> SSLRequire “some string” in OID(“1.2.3.4…..”)
>> </Location>
>>
>> As you can see, we need to match this string exactly in extension’s
>> value. We can encounter problem with this, because this extension may
>> not be listed in openssl list of valid extensions
>> (crypto/objects/objects.h). As I learned the mod_ssl and openssl code,
>> mod_ssl would not be able to match the string because the object of this
>> OID does not have valid NID in openssl. OpenSSL seems incapable of
>> determining the type of arbitrary extension we want to use as
>> restricting factor. Hence, mod_ssl can not even extract its value from
>> certificate.
>> Well, I poked around the problem for some time and found no
>> other way than to patch mod_ssl by adding one new function in
>> ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()
>> and ssl_expr_eval_oid() but does not intend to extract the value of
>> certificate extension. I also added some change to ssl_expr_eval_comp(),
>> so if you supply the zero-length word in SSLRequire, it uses my new
>> function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
>>
>> <Location />
>> SSLRequire “” in OID(“1.2.3.4…..”)
>> </Location>
>>
>> If you are aware of more attractive and “right” way to make
>> it, please acknowledge. My patch for apache-2.2.11 is attached.
>
> I'd rather see a different syntax used for the new semantics, such as:
>
> SSLRequire has_oid("1.2.3.4")
>
> though I'm not sure whether the SSLRequire parser can cope with that.
>
I'm a bit confused by that description.
OpenSSL can access extensions which don't have a corresponding NID.
Matching an extension value by a string is an odd thing to do since and
extension can be a complex structure DER encoded.
It is generally impossible to determine the structure of an unknown extension
because its format is not well defined.
Steve.
--
Dr Stephen N. Henson. Senior Technical/Cryptography Advisor,
Open Source Software Institute: www.oss-institute.org
OpenSSL Core team: www.openssl.org
