Thanks for you reply. First of all I'd like to know if it is possible to disable X-SSL-Subject and X-SSL-Issuer headers without disabling the X-SSL-certificate header?
If that's not possible I probably need to determine where the error is. Here's where I am right now: The X-SSL-Subject header is definitely UTF-8 encoded (the 'Ö' is encoded as 0xC3 0x96, I was wrong about that in my previous message). This is probably because the subject DN RDN values are UTF-8 encoded. Does OpenSSL really build the entire header or is it only used to get the subject and issuer DNs from the certificate? If it is the latter case I don't think it is possible to blame OpenSSL. As for what is a valid HTTP header value, I believe that, after reading RFC 2616 and RFC 2047 more carefully, a header value may contain TEXT which is defined as any octet except for CTLs (octets 0-31 and 127) but including LWS (which includes the control character 9, 10, and 13). However, RFC 2616 also says that "Words of *TEXT MAY contain characters from character sets other than ISO-8859-1 only when encoded according to the rules of RFC 2047". RFC 2047 says that the character set of a header value can be specified by prefixing the header value with ?charset?. 'Ö' actually does exist in ISO-8859-1 but it is encoded as 0xD6 and the second of the two octets produced when UTF-8 encoding the character (i.e. 0x96) is not assigned in ISO-8859-1. This leads me to believe that the header really is invalid. Please correct me if I'm wrong. Regards, Mattias On Thu, Jul 9, 2009 at 6:12 PM, Robert Segall <[email protected]> wrote: > On Thu, 2009-07-09 at 09:08 +0200, Mattias Öhrn wrote: > > Hello, > > > > I have a problem related to the client certificate HTTP headers added by > > pound. When the client certificate contains a subject or issuer DN with > non > > ASCII characters the corresponding header added by Pound (X-SSL-Subject > or > > X-SSL-Issuer) will get a value that contains invalid characters (e.g. 'Ö' > is > > encoded as 0x303, 0x226). I think this is incorrect according to RFC > 2616. > > > > This has not been a problem until now when we're trying to migrate an > > ASP.NET web service to Windows Communication Foundation (WCF). It turns > out > > that WCF is *very* strict about HTTP headers and if there is one invalid > > header it is not possible to access any headers (and we need to retrieve > the > > certificate from the X-SSL-Certificate header). We don't need the > > X-SSL-Subject or X-SSL-Issuer headers but I have not found any way of > > choosing what headers should be added by Pound, as I understand it it's > all > > or nothing. We are using Pound 2.2.7 on CentOS but I've read the change > log > > for the latest version and could not find any related fixes. > > > > Any suggestions? > > I suggest you check with the OpenSSL people - Pound uses the regular > functions from that package to create the headers. > > As an aside, I am not really sure that these headers are illegal - RFC > 2616 talks about "octets", which I think should allow for this. > -- > Robert Segall > Apsis GmbH > Postfach, Uetikon am See, CH-8707 > Tel: +41-44-920 4904 > > > -- > To unsubscribe send an email with subject unsubscribe to [email protected]. > Please contact [email protected] for questions. > -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
