Patch providing v3 extensions in environment

I've patched mod_ssl to export some V3 extension information from
certificates into the environment. We are issuing client certificates with
the Subject Alternative Name being used to specify DNS names / email
addresses and need to authenticate using this information.

The patch is available from:
http://www.andrew.cmu.edu/~kevinm/mod_ssl-2.8.14-patch1

It applies to 2.8.16 as well with "patch -p9 < mod_ssl-2.8.14-patch1" in
the top level directory of the distribution.

Please let me know if there are problems with this patch or if it's
acceptable for inclusion in the distribution.

Thanks,
-Kevin

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Patch providing v3 extensions in environment

On Mon, Mar 08, 2004 at 03:59:29PM -0500, Kevin C Miller wrote:
> I've patched mod_ssl to export some V3 extension information from
> certificates into the environment. We are issuing client certificates with
> the Subject Alternative Name being used to specify DNS names / email
> addresses and need to authenticate using this information.
>
> The patch is available from:
> http://www.andrew.cmu.edu/~kevinm/mod_ssl-2.8.14-patch1

Neat... I'd avoid doing separate strcEQs for V3EXT_ and the rest
separately since strcasecmp is slow; and I'd also omit the V3EXT_ from
the name completely, just call it SSL_*_SUBJECT_ALTNAME or something and
do the one strcEQ in var_lookup_ssl_cert. Adding this in +StdEnvVars
might be a bit much...

How does OpenSSL serialize the altname extension if it contains multiple
names; is it usable in SSLRequire then?

(I don't speak for whether it's acceptable to Ralf for inclusion in
mod_ssl 2.8, of course :)

Regards,

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Patch providing v3 extensions in environment

> Neat... I'd avoid doing separate strcEQs for V3EXT_ and the rest
> separately since strcasecmp is slow; and I'd also omit the V3EXT_ from
> the name completely, just call it SSL_*_SUBJECT_ALTNAME or something and
> do the one strcEQ in var_lookup_ssl_cert.

I was assuming that at some point, it may be desirable to export data of
other X509v3 extensions, and this would provide a clean separation. But, I
see your point and will change the patch if people agree that no such
separation is needed.

> Adding this in +StdEnvVars might be a bit much...

Okay; adding another directive would obviously require a larger change, but
it doesn't look too complicated and I'm willing to, if there is agreement
that a "ExtEnvVars" or "AdvEnvVars" is desirable.

> How does OpenSSL serialize the altname extension if it contains multiple
> names; is it usable in SSLRequire then?

It would look like: "DNS:some.host.example.com, IP Address:10.0.0.1". So,
usable in SSLRequire although perhaps not as useful as it could be.

-Kevin

---------------------------------------------------
Kevin C. Miller
Network Development
Carnegie Mellon University
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org