You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Joe Orton <jo...@redhat.com> on 2005/07/22 12:12:07 UTC
Re: svn commit: r219940 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/ssl_expr.h modules/ssl/ssl_expr_eval.c modules/ssl/ssl_expr_parse.y modules/ssl/ssl_expr_scan.l
On Wed, Jul 20, 2005 at 04:42:59PM -0000, Martin Kraemer wrote:
> Author: martin
> Date: Wed Jul 20 09:42:58 2005
> New Revision: 219940
>
> URL: http://svn.apache.org/viewcvs?rev=219940&view=rev
> Log:
> Collaborative work: (Thanks, dreid!)
> Implement OID checking for mod_ssl. This code allows for checking of arbitrary client
> certificate extensions by OID, in a syntax like:
> SSLRequire "BaDCA Generated Certificate" in Oid("2.16.840.1.113730.1.13") \
> || "committers" in Oid("1.3.6.1.4.1.18060.1")
> Note the following:
> * A given OID can occur multiple times in one cert, with different values. Therefore
> the OID function compares the left-hand string against each of the OID values,
> until a complete match is found. If none patches, the result is FALSE
> * The left hand side can be another expression, so can be a reference to a variable
> or an file() invocation etc.
> * The OID is also just a reference to a string, or function, or whatever.
> * My manual description is very short. Someone else please help improve the description
1) this is a pretty specific to way to code it. Is there no way to make
it more general so that OID() is just a function like file() and can be
used e.g. in regex matches too?
2) you must always check in the regenerated generated scanner source
along with changes to the lex file.
Regards,
joe
Re: svn commit: r219940 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/ssl_expr.h modules/ssl/ssl_expr_eval.c modules/ssl/ssl_expr_parse.y modules/ssl/ssl_expr_scan.l
Posted by Justin Erenkrantz <ju...@erenkrantz.com>.
On Fri, Jul 22, 2005 at 12:02:29PM +0100, Joe Orton wrote:
> and since I can't update to fix (2) myself, here's another...
Try again. All should be operational again. -- justin
Re: svn commit: r219940 - in /httpd/httpd/trunk: docs/manual/mod/mod_ssl.xml modules/ssl/ssl_expr.h modules/ssl/ssl_expr_eval.c modules/ssl/ssl_expr_parse.y modules/ssl/ssl_expr_scan.l
Posted by Joe Orton <jo...@redhat.com>.
On Fri, Jul 22, 2005 at 11:12:07AM +0100, Joe Orton wrote:
> On Wed, Jul 20, 2005 at 04:42:59PM -0000, Martin Kraemer wrote:
> > Author: martin
> > Date: Wed Jul 20 09:42:58 2005
> > New Revision: 219940
> >
> > URL: http://svn.apache.org/viewcvs?rev=219940&view=rev
> > Log:
> > Collaborative work: (Thanks, dreid!)
> > Implement OID checking for mod_ssl. This code allows for checking of arbitrary client
> > certificate extensions by OID, in a syntax like:
> > SSLRequire "BaDCA Generated Certificate" in Oid("2.16.840.1.113730.1.13") \
> > || "committers" in Oid("1.3.6.1.4.1.18060.1")
> > Note the following:
> > * A given OID can occur multiple times in one cert, with different values. Therefore
> > the OID function compares the left-hand string against each of the OID values,
> > until a complete match is found. If none patches, the result is FALSE
> > * The left hand side can be another expression, so can be a reference to a variable
> > or an file() invocation etc.
> > * The OID is also just a reference to a string, or function, or whatever.
> > * My manual description is very short. Someone else please help improve the description
and since I can't update to fix (2) myself, here's another...
3) oid() is a terrible name for this; it's simply the type of the
parameter. It would be like calling malloc() "size()". The function
expands (conceptually) to the values of an extension in the peer's
certificate, identified by OID; so call it peerext() or something
meaningful like that.