On Tue, Sep 26, 2000 at 10:41:43AM +0200, [EMAIL PROTECTED] wrote:
> Full_Name: Ari Suutari
> Version: 2.6.2
> OS: FreeBSD 3.5
> Submission from: (NULL) (195.197.177.229)
>
>
> I'm running a web site with 'SSLOptions +FakeBasicAuth' to make
> information from client certificates available for ldap-based
> authentication (using Dave Carrigan's auth_ldap). Everything works
> very well, except when a client has a certificate that has
> scandinavian characters in subject (this is quite common actually).
> The subject is translated to string containing escape sequences
> like '\xC4' by mod_ssl & openssl, but ldap doesn't like that,
> since it is expecting either unescaped string or something
> like '\C4'. So the user's access is denied.
>
> Maybe mod_ssl could have an option which turns escaping off ?
>
No, it is the other way around. Your certificates should not contain
special characters - most apps will not handle that correctly. Just
as an example, try importing such a client certificate in MSIE - if
there is any such special chars in the CN, then it can't display the
name. I'm not entirely sure what the x509v3 spec says, but at least
in my experience, this is not a good idea(tm).
BTW: There was a patch posted on the list a while back to add LDAP
support to mod_ssl:
http://marc.theaimsgroup.com/?l=apache-modssl&m=95798113604790&w=2
vh
Mads Toftum
--
`Darn it, who spiked my coffee with water?!' - lwall
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
