mod_ssl: querying any certificate in the chain

[Graham Leggett <mi...@sharp.fm>]

Hi all,

https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#envvars described how we might query many of the parameters in the current certificate, however I have a need to query parameters in parent certificates in the chain, not just the primary certificate.

Most specifically, I am after the DN of the root certificate in the chain, which in the past was the issuer in the client certificate, but in an environment with intermediate certs this is no longer valid.

Would a syntax like this make some sense?

SSL_CLIENT_S_DN_n - Give me the subject DN of the nth certificate in the chain.
SSL_CLIENT_S_DN_x509_n - Give me the element of the subject DN of the nth certificate in the chain.

Regards,
Graham
--

Re: mod_ssl: querying any certificate in the chain

[Daniel Ruggeri <DR...@primary.net>]

On 1/14/2014 12:16 PM, Graham Leggett wrote:
> Would a syntax like this make some sense?
>
> SSL_CLIENT_S_DN_n - Give me the subject DN of the nth certificate in the chain.
> SSL_CLIENT_S_DN_x509_n - Give me the element of the subject DN of the nth certificate in the chain.

I like this.
+1

I am assuming SSL_CLIENT_S_DN_n == SSL_CLIENT_S_DN. Would that be the
case? ...or are you counting to n from the other direction?

--
Daniel Ruggeri

Re: mod_ssl: querying any certificate in the chain

[Kaspar Brand <ht...@velox.ch>]

On 14.01.2014 19:16, Graham Leggett wrote:
> Most specifically, I am after the DN of the root certificate in the chain, which in the past was the issuer in the client certificate, but in an environment with intermediate certs this is no longer valid.
> 
> Would a syntax like this make some sense?
> 
> SSL_CLIENT_S_DN_n - Give me the subject DN of the nth certificate in the chain.
> SSL_CLIENT_S_DN_x509_n - Give me the element of the subject DN of the nth certificate in the chain.

Could be a useful enhancement, yes. The numbering should match the one
for the CLIENT_CERT_CHAIN variables, I think, and both the CLIENT_S_*
and the CLIENT_I_* things should be available (only with SSLOptions
ExportCertData perhaps?).

Note that the last cert of the chain, which mod_ssl currently grabs my
means of SSL_get_peer_cert_chain() is often not the root... browsers
usually leave it out (see RFC 5246 section 7.4.6/7.4.2, "MAY be omitted
from the chain"), or in some cases do not provide any intermediate CA
certificates at all.

If you really want to determine what root a successfully verified client
certificate (SSL_CLIENT_VERIFY=SUCCESS) chains to, you would have to use
a technique similar to the one sketched in [1] and followups (i.e., use
X509_verify_cert).

Kaspar

[1]
https://mail-archives.apache.org/mod_mbox/httpd-dev/201109.mbox/%3C4E64F9A3.6040304@velox.ch%3E

Re: mod_ssl: querying any certificate in the chain

[Ruediger Pluem <rp...@apache.org>]

Graham Leggett wrote:
> Hi all,
> 
> https://httpd.apache.org/docs/trunk/mod/mod_ssl.html#envvars described how we might query many of the parameters in the current certificate, however I have a need to query parameters in parent certificates in the chain, not just the primary certificate.
> 
> Most specifically, I am after the DN of the root certificate in the chain, which in the past was the issuer in the client certificate, but in an environment with intermediate certs this is no longer valid.
> 
> Would a syntax like this make some sense?
> 
> SSL_CLIENT_S_DN_n - Give me the subject DN of the nth certificate in the chain.
> SSL_CLIENT_S_DN_x509_n - Give me the element of the subject DN of the nth certificate in the chain.

+1

Regards

Rüdiger