You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by sf...@apache.org on 2011/01/02 00:56:24 UTC
svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES
docs/manual/mod/mod_ssl.xml docs/manual/upgrading.xml
modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c
modules/ssl/ssl_private.h modules/ssl/ssl_util_ssl.c
modules/ssl/ssl_util_ssl.h
Author: sf
Date: Sat Jan 1 23:56:24 2011
New Revision: 1054323
URL: http://svn.apache.org/viewvc?rev=1054323&view=rev
Log:
Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
escape other special characters with backslashes. The old format can
still be used with the LegacyDNStringFormat argument to SSLOptions.
Modified:
httpd/httpd/trunk/CHANGES
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/docs/manual/upgrading.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
httpd/httpd/trunk/modules/ssl/ssl_private.h
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
Modified: httpd/httpd/trunk/CHANGES
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/CHANGES [utf-8] (original)
+++ httpd/httpd/trunk/CHANGES [utf-8] Sat Jan 1 23:56:24 2011
@@ -2,6 +2,11 @@
Changes with Apache 2.3.11
+ *) mod_ssl: Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
+ to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
+ escape other special characters with backslashes. The old format can
+ still be used with the LegacyDNStringFormat argument to SSLOptions.
+
*) core, mod_rewrite: Make the REQUEST_SCHEME variable available to
scripts and mod_rewrite. [Stefan Fritsch]
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Sat Jan 1 23:56:24 2011
@@ -106,6 +106,10 @@ attribute. For example, where the serve
included two OU fields, <code>SSL_SERVER_S_DN_OU_0</code> and
<code>SSL_SERVER_S_DN_OU_1</code> could be used to reference each.</p>
+<p>The format of the <em>*_DN</em> variables has changed in Apache HTTPD
+2.3.11. See the <code>LegacyDNStringFormat</code> option for
+<directive module="mod_ssl">SSLOptions</directive> for details.</p>
+
<p><code>SSL_CLIENT_V_REMAIN</code> is only available in version 2.1
and later.</p>
@@ -1181,6 +1185,21 @@ The available <em>option</em>s are:</p>
checks sometimes maybe not what the user expects, so enable this on a
per-directory basis only, please.</p>
</li>
+<li><code>LegacyDNStringFormat</code>
+ <p>
+ This option influences how values of the
+ <code>SSL_{CLIENT,SERVER}_{I,S}_DN</code> variables are formatted. Since
+ version 2.3.11, Apache HTTPD uses a RFC 2253 compatible format by
+ default. This uses commas as delimiters between the attributes, allows the
+ use of non-ASCII characters (which are converted to UTF8), escapes
+ various special characters with backslashes, and sorts the attributes
+ with the "C" attribute last.</p>
+
+ <p>If <code>LegacyDNStringFormat</code> is set, the old format will be
+ used which sorts the "C" attribute first, uses slashes as separators, and
+ does not handle non-ASCII and special characters in any consistent way.
+ </p>
+</li>
</ul>
<example><title>Example</title>
SSLOptions +FakeBasicAuth -StrictRequire<br />
Modified: httpd/httpd/trunk/docs/manual/upgrading.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/upgrading.xml?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/upgrading.xml (original)
+++ httpd/httpd/trunk/docs/manual/upgrading.xml Sat Jan 1 23:56:24 2011
@@ -236,6 +236,12 @@
<li><module>mod_auto_index</module>: will now extract titles and
display descriptions for .xhtml files, which were previously
ignored.</li>
+
+ <li><module>mod_ssl</module>: The default format of the <code>*_DN</code>
+ variables has changed. The old format can still be used with the new
+ <code>LegacyDNStringFormat</code> argument to <directive
+ module="mod_ssl">SSLOptions</directive>.</li>
+
<li><program>htpasswd</program> now uses MD5 hash by default on
all platforms.</li>
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_config.c?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_config.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_config.c Sat Jan 1 23:56:24 2011
@@ -1107,6 +1107,9 @@ const char *ssl_cmd_SSLOptions(cmd_parms
else if (strcEQ(w, "OptRenegotiate")) {
opt = SSL_OPT_OPTRENEGOTIATE;
}
+ else if (strcEQ(w, "LegacyDNStringFormat")) {
+ opt = SSL_OPT_LEGACYDNFORMAT;
+ }
else {
return apr_pstrcat(cmd->pool,
"SSLOptions: Illegal option '", w, "'",
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c Sat Jan 1 23:56:24 2011
@@ -39,8 +39,8 @@
** _________________________________________________________________
*/
-static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var);
-static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var);
+static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char *var);
+static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_UTCTIME *tm);
static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_UTCTIME *tm);
@@ -73,7 +73,7 @@ static apr_array_header_t *expr_peer_ext
static const char *expr_var_fn(ap_expr_eval_ctx_t *ctx, const void *data)
{
char *var = (char *)data;
- return ssl_var_lookup_ssl(ctx->p, ctx->c, var);
+ return ssl_var_lookup_ssl(ctx->p, ctx->c, ctx->r, var);
}
static int ssl_expr_lookup(ap_expr_lookup_parms *parms)
@@ -241,7 +241,7 @@ char *ssl_var_lookup(apr_pool_t *p, serv
SSLConnRec *sslconn = myConnConfig(c);
if (strlen(var) > 4 && strcEQn(var, "SSL_", 4)
&& sslconn && sslconn->ssl)
- result = ssl_var_lookup_ssl(p, c, var+4);
+ result = ssl_var_lookup_ssl(p, c, r, var+4);
else if (strcEQ(var, "REMOTE_ADDR"))
result = c->remote_ip;
else if (strcEQ(var, "HTTPS")) {
@@ -313,7 +313,8 @@ char *ssl_var_lookup(apr_pool_t *p, serv
return (char *)result;
}
-static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, char *var)
+static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r,
+ char *var)
{
SSLConnRec *sslconn = myConnConfig(c);
char *result;
@@ -358,13 +359,17 @@ static char *ssl_var_lookup_ssl(apr_pool
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "CLIENT_", 7)) {
if ((xs = SSL_get_peer_certificate(ssl)) != NULL) {
- result = ssl_var_lookup_ssl_cert(p, xs, var+7);
+ result = ssl_var_lookup_ssl_cert(p, r, xs, var+7);
X509_free(xs);
}
}
else if (ssl != NULL && strlen(var) > 7 && strcEQn(var, "SERVER_", 7)) {
- if ((xs = SSL_get_certificate(ssl)) != NULL)
- result = ssl_var_lookup_ssl_cert(p, xs, var+7);
+ if ((xs = SSL_get_certificate(ssl)) != NULL) {
+ result = ssl_var_lookup_ssl_cert(p, r, xs, var+7);
+ /* SSL_get_certificate is different from SSL_get_peer_certificate.
+ * No need to X509_free(xs).
+ */
+ }
}
else if (ssl != NULL && strcEQ(var, "COMPRESS_METHOD")) {
result = ssl_var_lookup_ssl_compress_meth(ssl);
@@ -386,13 +391,44 @@ static char *ssl_var_lookup_ssl(apr_pool
return result;
}
-static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, X509 *xs, char *var)
+static char *ssl_var_lookup_ssl_cert_dn_oneline(apr_pool_t *p, request_rec *r,
+ X509_NAME *xsname)
+{
+ char *result;
+ SSLDirConfigRec *dc;
+ int legacy_format = 0;
+ if (r) {
+ dc = myDirConfig(r);
+ legacy_format = dc->nOptions & SSL_OPT_LEGACYDNFORMAT;
+ }
+ if (legacy_format) {
+ char *cp = X509_NAME_oneline(xsname, NULL, 0);
+ result = apr_pstrdup(p, cp);
+ modssl_free(cp);
+ }
+ else {
+ BIO* bio;
+ int n;
+ unsigned long flags = XN_FLAG_RFC2253 & ~ASN1_STRFLGS_ESC_MSB;
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ return NULL;
+ X509_NAME_print_ex(bio, xsname, 0, flags);
+ n = BIO_pending(bio);
+ result = apr_palloc(p, n+1);
+ n = BIO_read(bio, result, n);
+ result[n] = NUL;
+ BIO_free(bio);
+ }
+ return result;
+}
+
+static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
+ char *var)
{
char *result;
BOOL resdup;
X509_NAME *xsname;
int nid;
- char *cp;
result = NULL;
resdup = TRUE;
@@ -414,27 +450,23 @@ static char *ssl_var_lookup_ssl_cert(apr
result = ssl_var_lookup_ssl_cert_remain(p, X509_get_notAfter(xs));
resdup = FALSE;
}
- else if (strcEQ(var, "S_DN")) {
- xsname = X509_get_subject_name(xs);
- cp = X509_NAME_oneline(xsname, NULL, 0);
- result = apr_pstrdup(p, cp);
- modssl_free(cp);
- resdup = FALSE;
- }
- else if (strlen(var) > 5 && strcEQn(var, "S_DN_", 5)) {
- xsname = X509_get_subject_name(xs);
- result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);
- resdup = FALSE;
- }
- else if (strcEQ(var, "I_DN")) {
- xsname = X509_get_issuer_name(xs);
- cp = X509_NAME_oneline(xsname, NULL, 0);
- result = apr_pstrdup(p, cp);
- modssl_free(cp);
+ else if (*var && strcEQ(var+1, "_DN")) {
+ if (*var == 'S')
+ xsname = X509_get_subject_name(xs);
+ else if (*var == 'I')
+ xsname = X509_get_issuer_name(xs);
+ else
+ return NULL;
+ result = ssl_var_lookup_ssl_cert_dn_oneline(p, r, xsname);
resdup = FALSE;
}
- else if (strlen(var) > 5 && strcEQn(var, "I_DN_", 5)) {
- xsname = X509_get_issuer_name(xs);
+ else if (strlen(var) > 5 && strcEQn(var+1, "_DN_", 4)) {
+ if (*var == 'S')
+ xsname = X509_get_subject_name(xs);
+ else if (*var == 'I')
+ xsname = X509_get_issuer_name(xs);
+ else
+ return NULL;
result = ssl_var_lookup_ssl_cert_dn(p, xsname, var+5);
resdup = FALSE;
}
@@ -516,13 +548,7 @@ static char *ssl_var_lookup_ssl_cert_dn(
n =OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (n == ssl_var_lookup_ssl_cert_dn_rec[i].nid && idx-- == 0) {
- unsigned char *data = X509_NAME_ENTRY_get_data_ptr(xsne);
- /* cast needed from unsigned char to char */
- result = apr_pstrmemdup(p, (char *)data,
- X509_NAME_ENTRY_get_data_len(xsne));
-#if APR_CHARSET_EBCDIC
- ap_xlate_proto_from_ascii(result, X509_NAME_ENTRY_get_data_len(xsne));
-#endif /* APR_CHARSET_EBCDIC */
+ result = SSL_X509_NAME_ENTRY_to_string(p, xsne);
break;
}
}
@@ -759,7 +785,6 @@ static void extract_dn(apr_table_t *t, a
tag = apr_hash_get(nids, &nid, sizeof nid);
if (tag) {
- unsigned char *data = X509_NAME_ENTRY_get_data_ptr(xsne);
const char *key;
int *dup;
char *value;
@@ -776,13 +801,7 @@ static void extract_dn(apr_table_t *t, a
apr_hash_set(count, &nid, sizeof nid, dup);
key = apr_pstrcat(p, pfx, tag, NULL);
}
-
- /* cast needed from 'unsigned char *' to 'char *' */
- value = apr_pstrmemdup(p, (char *)data,
- X509_NAME_ENTRY_get_data_len(xsne));
-#if APR_CHARSET_EBCDIC
- ap_xlate_proto_from_ascii(value, X509_NAME_ENTRY_get_data_len(xsne));
-#endif /* APR_CHARSET_EBCDIC */
+ value = SSL_X509_NAME_ENTRY_to_string(p, xsne);
apr_table_setn(t, key, value);
}
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_private.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_private.h?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_private.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_private.h Sat Jan 1 23:56:24 2011
@@ -230,7 +230,7 @@ typedef int ssl_algo_t;
#define SSL_OPT_FAKEBASICAUTH (1<<4)
#define SSL_OPT_STRICTREQUIRE (1<<5)
#define SSL_OPT_OPTRENEGOTIATE (1<<6)
-#define SSL_OPT_ALL (SSL_OPT_STDENVVARS|SSL_OPT_EXPORTCERTDATA|SSL_OPT_FAKEBASICAUTH|SSL_OPT_STRICTREQUIRE|SSL_OPT_OPTRENEGOTIATE)
+#define SSL_OPT_LEGACYDNFORMAT (1<<7)
typedef int ssl_opt_t;
/**
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat Jan 1 23:56:24 2011
@@ -344,14 +344,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca,
#endif
}
+/* convert a NAME_ENTRY to UTF8 string */
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
+{
+ char *result = NULL;
+ BIO* bio;
+ int len;
+
+ if ((bio = BIO_new(BIO_s_mem())) == NULL)
+ return NULL;
+ ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
+ ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
+ len = BIO_pending(bio);
+ result = apr_palloc(p, len+1);
+ len = BIO_read(bio, result, len);
+ result[len] = NUL;
+ BIO_free(bio);
+ ap_xlate_proto_from_ascii(value, len);
+ return result;
+}
+
/* retrieve subject CommonName of certificate */
BOOL SSL_X509_getCN(apr_pool_t *p, X509 *xs, char **cppCN)
{
X509_NAME *xsn;
X509_NAME_ENTRY *xsne;
int i, nid;
- unsigned char *data_ptr;
- int data_len;
xsn = X509_get_subject_name(xs);
for (i = 0; i < sk_X509_NAME_ENTRY_num((STACK_OF(X509_NAME_ENTRY) *)
@@ -360,12 +378,7 @@ BOOL SSL_X509_getCN(apr_pool_t *p, X509
X509_NAME_get_entries(xsn), i);
nid = OBJ_obj2nid((ASN1_OBJECT *)X509_NAME_ENTRY_get_object(xsne));
if (nid == NID_commonName) {
- data_ptr = X509_NAME_ENTRY_get_data_ptr(xsne);
- data_len = X509_NAME_ENTRY_get_data_len(xsne);
- *cppCN = apr_palloc(p, data_len+1);
- apr_cpystrn(*cppCN, (char *)data_ptr, data_len+1);
- (*cppCN)[data_len] = NUL;
- ap_xlate_proto_from_ascii(*cppCN, data_len);
+ *cppCN = SSL_X509_NAME_ENTRY_to_string(p, xsne);
return TRUE;
}
}
Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h?rev=1054323&r1=1054322&r2=1054323&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h Sat Jan 1 23:56:24 2011
@@ -85,6 +85,7 @@ int SSL_X509_STORE_lookup(X509_S
char *SSL_make_ciphersuite(apr_pool_t *, SSL *);
BOOL SSL_X509_isSGC(X509 *);
BOOL SSL_X509_getBC(X509 *, int *, int *);
+char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne);
BOOL SSL_X509_getCN(apr_pool_t *, X509 *, char **);
BOOL SSL_X509_INFO_load_file(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
BOOL SSL_X509_INFO_load_path(apr_pool_t *, STACK_OF(X509_INFO) *, const char *);
Re: svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml
docs/manual/upgrading.xml modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c
modules/ssl/ssl_private.h modules/ssl/ssl_util_ssl.c modules/ssl/ssl_util_ssl.h
Posted by Kaspar Brand <ht...@velox.ch>.
On 02.01.2011 19:35, Stefan Fritsch wrote:
> On Sunday 02 January 2011, Rüdiger Plüm wrote:
>>> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
>>> URL:
>>> http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_u
>>> til_ssl.c?rev=1054323&r1=1054322&r2=1054323&view=diff
>>> ================================================================
>>> ============== --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
>>> (original) +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat
>>> Jan 1 23:56:24 2011 @@ -344,14 +344,32 @@ BOOL
>>> SSL_X509_getBC(X509 *cert, int *ca,
>>>
>>> #endif
>>> }
>>>
>>> +/* convert a NAME_ENTRY to UTF8 string */
>>> +char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p,
>>> X509_NAME_ENTRY *xsne) +{
>>> + char *result = NULL;
>>> + BIO* bio;
>>> + int len;
>>> +
>>> + if ((bio = BIO_new(BIO_s_mem())) == NULL)
>>> + return NULL;
>>> + ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
>>> +
>>> ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT); + len =
>>> BIO_pending(bio);
>>> + result = apr_palloc(p, len+1);
>>> + len = BIO_read(bio, result, len);
>>> + result[len] = NUL;
>>> + BIO_free(bio);
>>> + ap_xlate_proto_from_ascii(value, len);
>>
>> Shouldn't that be ap_xlate_proto_from_ascii(result, len); instead?
>
> Of course, thanks. Fixed in r1054453.
I would suggest to drop the ap_xlate_proto_from_ascii line completely,
for several reasons: "result" is now a UTF-8 encoded string (i.e., might
well include non-ASCII characters, differently encoded than ISO-8859-1),
ap_xlate_proto_from_ascii is a NOOP for non-EBCDIC platforms, and third,
on EBCDIC platforms, ap_xlate_proto_from_ascii simply does nothing (it
calls apr_xlate_conv_buffer, which returns APR_ENOTIMPL, even in current
versions of APR-util, IIMN).
Kaspar
Re: svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml docs/manual/upgrading.xml modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c modules/ssl/ssl_private.h modules/ssl/ssl_util_ssl.c modules/ssl/ssl_util_ssl.h
Posted by Stefan Fritsch <sf...@sfritsch.de>.
On Sunday 02 January 2011, Rüdiger Plüm wrote:
> On 01/02/2011 12:56 AM, sf@apache.org wrote:
> > Author: sf
> > Date: Sat Jan 1 23:56:24 2011
> > New Revision: 1054323
> >
> > URL: http://svn.apache.org/viewvc?rev=1054323&view=rev
> > Log:
> > Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
> > to be RFC 2253 compatible, convert non-ASCII characters to UTF8,
> > and escape other special characters with backslashes. The old
> > format can still be used with the LegacyDNStringFormat argument
> > to SSLOptions.
> >
> > Modified:
> > httpd/httpd/trunk/CHANGES
> > httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> > httpd/httpd/trunk/docs/manual/upgrading.xml
> > httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> > httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> > httpd/httpd/trunk/modules/ssl/ssl_private.h
> > httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> > httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
> >
> > Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> > URL:
> > http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_u
> > til_ssl.c?rev=1054323&r1=1054322&r2=1054323&view=diff
> > ================================================================
> > ============== --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> > (original) +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat
> > Jan 1 23:56:24 2011 @@ -344,14 +344,32 @@ BOOL
> > SSL_X509_getBC(X509 *cert, int *ca,
> >
> > #endif
> > }
> >
> > +/* convert a NAME_ENTRY to UTF8 string */
> > +char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p,
> > X509_NAME_ENTRY *xsne) +{
> > + char *result = NULL;
> > + BIO* bio;
> > + int len;
> > +
> > + if ((bio = BIO_new(BIO_s_mem())) == NULL)
> > + return NULL;
> > + ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
> > +
> > ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT); + len =
> > BIO_pending(bio);
> > + result = apr_palloc(p, len+1);
> > + len = BIO_read(bio, result, len);
> > + result[len] = NUL;
> > + BIO_free(bio);
> > + ap_xlate_proto_from_ascii(value, len);
>
> Shouldn't that be ap_xlate_proto_from_ascii(result, len); instead?
Of course, thanks. Fixed in r1054453.
Re: svn commit: r1054323 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/mod_ssl.xml
docs/manual/upgrading.xml modules/ssl/ssl_engine_config.c modules/ssl/ssl_engine_vars.c
modules/ssl/ssl_private.h modules/ssl/ssl_util_ssl.c modules/ssl/ssl_util_ssl.h
Posted by Rüdiger Plüm <r....@gmx.de>.
On 01/02/2011 12:56 AM, sf@apache.org wrote:
> Author: sf
> Date: Sat Jan 1 23:56:24 2011
> New Revision: 1054323
>
> URL: http://svn.apache.org/viewvc?rev=1054323&view=rev
> Log:
> Change the format of the SSL_{CLIENT,SERVER}_{I,S}_DN variables
> to be RFC 2253 compatible, convert non-ASCII characters to UTF8, and
> escape other special characters with backslashes. The old format can
> still be used with the LegacyDNStringFormat argument to SSLOptions.
>
> Modified:
> httpd/httpd/trunk/CHANGES
> httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
> httpd/httpd/trunk/docs/manual/upgrading.xml
> httpd/httpd/trunk/modules/ssl/ssl_engine_config.c
> httpd/httpd/trunk/modules/ssl/ssl_engine_vars.c
> httpd/httpd/trunk/modules/ssl/ssl_private.h
> httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> httpd/httpd/trunk/modules/ssl/ssl_util_ssl.h
> Modified: httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c?rev=1054323&r1=1054322&r2=1054323&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c (original)
> +++ httpd/httpd/trunk/modules/ssl/ssl_util_ssl.c Sat Jan 1 23:56:24 2011
> @@ -344,14 +344,32 @@ BOOL SSL_X509_getBC(X509 *cert, int *ca,
> #endif
> }
>
> +/* convert a NAME_ENTRY to UTF8 string */
> +char *SSL_X509_NAME_ENTRY_to_string(apr_pool_t *p, X509_NAME_ENTRY *xsne)
> +{
> + char *result = NULL;
> + BIO* bio;
> + int len;
> +
> + if ((bio = BIO_new(BIO_s_mem())) == NULL)
> + return NULL;
> + ASN1_STRING_print_ex(bio, X509_NAME_ENTRY_get_data(xsne),
> + ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_UTF8_CONVERT);
> + len = BIO_pending(bio);
> + result = apr_palloc(p, len+1);
> + len = BIO_read(bio, result, len);
> + result[len] = NUL;
> + BIO_free(bio);
> + ap_xlate_proto_from_ascii(value, len);
Shouldn't that be ap_xlate_proto_from_ascii(result, len); instead?
Regards
Rüdiger