Fw: Netscape Client certs - still unsure.

Sat, 8 Jan 2000 09:16:26 -0800 

Thanks for your reply..

 I'm running 2.4.9 but maybe I'm missing something. The client cert
presented to Apache actually contains what I though was the OID descriptor:
 0.9.2342.19200300.100.1.1 and not "UID". That is the subject line
  interpeted  by mod_ssl when being asked to display the contents of the
 environment  variable SSL_CLIENT_S_DN is :

   /O=impaq.net/OU=education/OU=Tintern/0.9.2342.19200300.100.1.1=tester

   modssl seems to be expecting "UID=tester" not 0.9.2342... etc etc.. and
   therefore when I ask specifically for SSL_CLIENT_S_DN_UID, I get NULL and
   not "tester". This seems to be an error in the way Netscape Cert server
   formats the certificate but I'm not sure.. From what someone else said, I
   need to hack mod_ssl to equate 0.9.2... etc with UID as openssl doesn't
  seem  to understand this format?

 >
> >  On Thu, Jan 06, 2000, Andrew Hall wrote:
> > >
> > > > As I have read from recent postings to the list, any client certs
> > > generated
> > > > by Netscape's Certificate Server will present the UID as the OID:
> > > > 0.9.2342.19200300.100.1.1 of which mod_ssl/apache will ignore this
> when
> > > > presenting the environment variable:
> > > >
> > > > SSL_CLIENT_S_DN_UID .
> > > >
> > > > As I really need this presented as a valid UID, can someone please
> tell
> > me
> > > > where I can patch the openssl code to recognise this OID as the UID.
> > >
> > > From CHANGES:
> > >
> > > |    Changes with mod_ssl 2.4.9 (05-Nov-1999 to 24-Nov-1999)
> > > |
> > > |    [...]
> > > |
> > > |    *) Added support for SSL_{CLIENT,SERVER}_{S,I}_DN_{T,I,G,S,D,UID}
> > > |       variables (corresponding to X.509 title, initials, givenName,
> > > surname,
> > > |       description and uniqueIdentifier OIDs) to allow the checking
of
> > more
> > > |       X.509 certificate ingredients.
> > > |
> > > |    [...]
> > >
> > > In short: just upgrade to 2.4.9 and the variable exists for you.
> > >
> > >                                        Ralf S. Engelschall
> > >                                        [EMAIL PROTECTED]
> > >                                        www.engelschall.com
> > >
> > >
> >
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to