This is a multi-part message in MIME format.
--------------000808010101020202040508
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
mod_ssl can perform client authentication on certificate in
Apache and client authorization on certain certificate extensions. We
are setting up CA here and we want to restrict access to certain website
by checking the presence of certain certificate extension using its OID.
The syntax which mod_ssl is forcing us to use is the following:
<Location />
SSLRequire =E2=80=9Csome string=E2=80=9D in OID(=E2=80=9C1.2.=
3.4=E2=80=A6..=E2=80=9D)
</Location>
As you can see, we need to match this string exactly in extension=E2=80=99=
s
value. We can encounter problem with this, because this extension may
not be listed in openssl list of valid extensions
(crypto/objects/objects.h). As I learned the mod_ssl and openssl code,
mod_ssl would not be able to match the string because the object of this
OID does not have valid NID in openssl. OpenSSL seems incapable of
determining the type of arbitrary extension we want to use as
restricting factor. Hence, mod_ssl can not even extract its value from
certificate.
Well, I poked around the problem for some time and found no
other way than to patch mod_ssl by adding one new function in
ssl_expr_eval.c which does almost the same thing as ssl_extlist_by_oid()
and ssl_expr_eval_oid() but does not intend to extract the value of
certificate extension. I also added some change to ssl_expr_eval_comp(),
so if you supply the zero-length word in SSLRequire, it uses my new
function instead of ssl_expr_eval_oid(). So, the new syntax is like this:
<Location />
SSLRequire =E2=80=9C=E2=80=9D in OID(=E2=80=9C1.2.3.4=E2=80=A6=
...=E2=80=9D)
</Location>
If you are aware of more attractive and =E2=80=9Cright=E2=80=9D=
way to make
it, please acknowledge. My patch for apache-2.2.11 is attached.
--
Zhumabekov Yerden
--------------000808010101020202040508
Content-Type: application/gzip;
name="apache_oid_presence.patch.gz"
Content-Transfer-Encoding: base64
Content-Disposition: inline;
filename="apache_oid_presence.patch.gz"
H4sICEofAEoAA2FwYWNoZV9vaWRfcHJlc2VuY2UucGF0Y2gArVXbbtpAEH0u XzF9M9gG2wmp
kpY0vVCpFQIppFLfLMceh03MLl0vgSjNv3fGNnc3bdVaGMzsXM6cObtORJqC O4zmGtrtzsSY
WeIG7aDt+22VJZ2pSuYZ5p08z/gOcTnTId5HWTuG9nOrDdd1/zbji8DzXrl+ 4Ppd8I/PjoMz
ivFWF9jeiec1bNt+vjJnOXW9Ln3APzk78s+63kGWiwtwj06cE7Dp+xVcXDSg AbmJjIjh/Wg0
ANjJGsZqOrM0fp9jbkKNMbSctQe0mq/XwfEkIsNu8ELp5Nlge7syr8QTjO9C JZJwpjFHGeNu
vHYgVjI3VTlyzI3eQlHXAjk9m4RR/iZtXXPpXMZhKjLc77B03ooW0sA+KMof T2cZLq3SfSuM
R+QHPk3H9oPA8b1iSvuXSMFSM+j1QM3CkUgGIjf9DKcoTRMeD/35qvo9gh7U DcoBPGLYDbcu
OFVzmRxEFuQ6sPDp5mC7LpSxUsMZSmvhN+FlD7xmvec/FsIsxz9LXCe0KjPU k9dpwdUENcJC
ZBlcI0gFU6X5N8EclAQzQchoDCRyVfyhzPPMgMghmpuJ0oL1cI/Q6tSXuNYY 3ZUCCLpd3qRB
99Q57u4IQKOZawnMSaR19ECAnwjzf9pKDfuxJJBFGxNhhgjzHLitGC/SV331 4NO7wbhfrXzr
eqfQWuZkHn4dDCrru/HQD0fvv/Q/XBU1KvN4PPigpLxkIASWgEiKmz6wke5U 3FjaPWczxkYo
yQMvI2kMRot7ETGL9kpdJXreDVwbfvyAddYDk3tODyv7lg4rYlc9rct9RIN6 KiQWM6VKsECI
aPCZUndC3pCu9A4YRkPdUNehWZpAXd9W+Bzwm811ZXjc1O5fXoZxhhGJXWul rW2B7+Fi09MW
PEZiCmFG8gFwaVDmxFhOEywAx6jN2118xZBoBOENmnCGqEN2EqmII4PWNk0b uETgBpK1UgYP
vchCdcPCSMnLIG+nwd80MVB0lql71BDR5to04fCzjmJTtEL7TGhMeAb5uiNm 37pllb6GW3hT
ipYebXsHQIG0/+2qPxx/Hg2hRXn38BNy0vlGaSu6eI50Vlvk4p7TMEmRDkOo 6XLVa7U9ri6/
9g9OqmqTr61Pe2wUkFKNyExWfr+SR8VqWZBsnAT2D4L/8CZsrN4ofCrQUfAT CWkNIj0JAAA=
--------------000808010101020202040508--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org
