Unhandled Critical Extensions

Unhandled Critical Extensions

am 07.06.2006 20:50:25 von Diarmuid Curtin

------=_Part_8404_31519867.1149706225690
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,

How does MOD_SSL call OpenSSL for the purpose of Certificate Verification? I
have a certificate which has the critical extension 'Name Constraints', when
I parse the cert with OpenSSL 0.9.8(b) it seems OpenSSL understands the
Certificate, however, when I present the cert to Apache, it fails with the
Error Message 'Unhandled Critical Extensions'

THis leads me to believe MOD_SSL calls OpenSSL in a different manner. Has
anyone any experience of this?


Diarmuid

------=_Part_8404_31519867.1149706225690
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi,


How does MOD_SSL call OpenSSL for the purpose of Certificate Verification? I have a certificate which has the critical extension 'Name Constraints', when I parse the cert with OpenSSL 0.9.8(b) it seems OpenSSL understands the Certificate, however, when I present the cert to Apache, it fails with the Error Message 'Unhandled Critical Extensions'


THis leads me to believe MOD_SSL calls OpenSSL in a different manner. Has anyone any experience of this?



Diarmuid



------=_Part_8404_31519867.1149706225690--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Unhandled Critical Extensions

am 07.06.2006 21:28:32 von Patrick Patterson

Hi Diarmuid:

On Wednesday 07 June 2006 14:50, Diarmuid Curtin wrote:
> Hi,
>
> How does MOD_SSL call OpenSSL for the purpose of Certificate Verification?
> I have a certificate which has the critical extension 'Name Constraints',
> when I parse the cert with OpenSSL 0.9.8(b) it seems OpenSSL understands
> the Certificate, however, when I present the cert to Apache, it fails with
> the Error Message 'Unhandled Critical Extensions'
>
> THis leads me to believe MOD_SSL calls OpenSSL in a different manner. Has
> anyone any experience of this?
>
This looks like correct behaviour - since mod_ssl doesn't handle the name
constraints extension, but RFC3280 says that any extension marked critical
needs to be handled by the application, it is operating within the
specification of the RFC.

The fact that OpenSSL parses it correctly is somewhat irrelevant - mod_ssl
also probably does the parsing just fine, but then follows the RFC defined
behaviour for critical extension handling.

What probably needs to happen, is that someone needs to implement correct
handling for Name Constraints (and probably AIA and SIA, since Name
constraints really only come into play with you are doing Path Validation).

--
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Unhandled Critical Extensions

am 07.06.2006 21:56:35 von Diarmuid Curtin

------=_Part_9584_974819.1149710195458
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi Patrick -

I agree, it acting in accordance to the RFC - any critical extensions it
does not understand, it rejects.

Seems to me that name constraint handling marked as critical would be nice
to have...

DC

On 6/7/06, Patrick Patterson wrote:

> Hi Diarmuid:
>
> On Wednesday 07 June 2006 14:50, Diarmuid Curtin wrote:
> > Hi,
> >
> > How does MOD_SSL call OpenSSL for the purpose of Certificate
> Verification?
> > I have a certificate which has the critical extension 'Name
> Constraints',
> > when I parse the cert with OpenSSL 0.9.8(b) it seems OpenSSL understands
> > the Certificate, however, when I present the cert to Apache, it fails
> with
> > the Error Message 'Unhandled Critical Extensions'
> >
> > THis leads me to believe MOD_SSL calls OpenSSL in a different manner.
> Has
> > anyone any experience of this?
> >
> This looks like correct behaviour - since mod_ssl doesn't handle the name
> constraints extension, but RFC3280 says that any extension marked critical
> needs to be handled by the application, it is operating within the
> specification of the RFC.
>
> The fact that OpenSSL parses it correctly is somewhat irrelevant - mod_ssl
> also probably does the parsing just fine, but then follows the RFC defined
> behaviour for critical extension handling.
>
> What probably needs to happen, is that someone needs to implement correct
> handling for Name Constraints (and probably AIA and SIA, since Name
> constraints really only come into play with you are doing Path
> Validation).
>
> --
> Patrick Patterson
> Chief PKI Architect
> Carillon Information Security Inc.
> http://www.carillon.ca
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users@modssl.org
> Automated List Manager majordomo@modssl.org
>

------=_Part_9584_974819.1149710195458
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Hi Patrick -

 

I agree, it acting in accordance to the RFC - any critical extensions it does not understand, it rejects.

 

Seems to me that name constraint handling marked as critical would be nice to have...

 

DC

 

On 6/7/06, Patrick Patterson <> wrote:


Hi Diarmuid:

On Wednesday 07 June 2006 14:50, Diarmuid Curtin wrote:
> Hi,
>
> How does MOD_SSL call OpenSSL for the purpose of Certificate Verification?

> I have a certificate which has the critical extension 'Name Constraints',
> when I parse the cert with OpenSSL 0.9.8(b) it seems OpenSSL understands
> the Certificate, however, when I present the cert to Apache, it fails with

> the Error Message 'Unhandled Critical Extensions'
>
> THis leads me to believe MOD_SSL calls OpenSSL in a different manner. Has
> anyone any experience of this?
>
This looks like correct behaviour - since mod_ssl doesn't handle the name

constraints extension, but RFC3280 says that any extension marked critical
needs to be handled by the application, it is operating within the
specification of the RFC.

The fact that OpenSSL parses it correctly is somewhat irrelevant - mod_ssl

also probably does the parsing just fine, but then follows the RFC defined
behaviour for critical extension handling.

What probably needs to happen, is that someone needs to implement correct
handling for Name Constraints (and probably AIA and SIA, since Name

constraints really only come into play with you are doing Path Validation).

--
Patrick Patterson
Chief PKI Architect
Carillon Information Security Inc.
http://www.carillon.ca

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl)                  
User Support Mailing List                      




------=_Part_9584_974819.1149710195458--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org