On 14.01.2014 19:16, Graham Leggett wrote: > Most specifically, I am after the DN of the root certificate in the chain, > which in the past was the issuer in the client certificate, but in an > environment with intermediate certs this is no longer valid. > > Would a syntax like this make some sense? > > SSL_CLIENT_S_DN_n - Give me the subject DN of the nth certificate in the > chain. > SSL_CLIENT_S_DN_x509_n - Give me the element of the subject DN of the nth > certificate in the chain.
Could be a useful enhancement, yes. The numbering should match the one for the CLIENT_CERT_CHAIN variables, I think, and both the CLIENT_S_* and the CLIENT_I_* things should be available (only with SSLOptions ExportCertData perhaps?). Note that the last cert of the chain, which mod_ssl currently grabs my means of SSL_get_peer_cert_chain() is often not the root... browsers usually leave it out (see RFC 5246 section 7.4.6/7.4.2, "MAY be omitted from the chain"), or in some cases do not provide any intermediate CA certificates at all. If you really want to determine what root a successfully verified client certificate (SSL_CLIENT_VERIFY=SUCCESS) chains to, you would have to use a technique similar to the one sketched in [1] and followups (i.e., use X509_verify_cert). Kaspar [1] https://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%3c4e64f9a3.6040...@velox.ch%3E
