On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Ströder wrote:
>> In the current 2.x mod_ssl sources, UID maps to:
>>
>> #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
>> { "UID", NID_x500UniqueIdentifier },
>> #else /* old name, OpenSSL < 0.9.7 */
>> { "UID", NID_uniqueIdentifier },
>> #endif
>
> Hmm, the user ID is already stored by mod_ssl with attribute name "UID" in
> env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
> attribute type seems to be interpreted as UID is it safe to assume that the
> cert contains the right OID?
No, unfortunately there is disparity between mod_ssl and OpenSSL here.
(I don't know why; I think historically the short name mappings were not
unique in OpenSSL possibly, something like that)
OpenSSL uses "UID" for NID_userId (OID mapping an exercise for the
reader, see obj_mac.h in OpenSSL ;). So in fact that's the tag used for
that RDN.
> If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyway...
It does indeed map to that OID... wrong in what sense?
joe
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
