Hi Diarmuid: On Wednesday 07 June 2006 14:50, Diarmuid Curtin wrote: > Hi, > > How does MOD_SSL call OpenSSL for the purpose of Certificate Verification? > I have a certificate which has the critical extension 'Name Constraints', > when I parse the cert with OpenSSL 0.9.8(b) it seems OpenSSL understands > the Certificate, however, when I present the cert to Apache, it fails with > the Error Message 'Unhandled Critical Extensions' > > THis leads me to believe MOD_SSL calls OpenSSL in a different manner. Has > anyone any experience of this? > This looks like correct behaviour - since mod_ssl doesn't handle the name constraints extension, but RFC3280 says that any extension marked critical needs to be handled by the application, it is operating within the specification of the RFC.
The fact that OpenSSL parses it correctly is somewhat irrelevant - mod_ssl also probably does the parsing just fine, but then follows the RFC defined behaviour for critical extension handling. What probably needs to happen, is that someone needs to implement correct handling for Name Constraints (and probably AIA and SIA, since Name constraints really only come into play with you are doing Path Validation). -- Patrick Patterson Chief PKI Architect Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]
