You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Ben Laurie <be...@algroup.co.uk> on 2005/05/03 18:02:03 UTC
Re: mod_ssl and critical extensions
Stephane Bailliez wrote:
> Hi,
>
>
> I'm facing an annoying issue during a PKI deployment and integration
> within an organization.
>
> The CA is created with the authority key identifier set as a critical
> extension.
>
> OpenSSL (including 0.9.7g) chokes (voluntarily) on critical extensions
> and as a default issue an error such as "Certificate Verification: Error
> (34): unhandled critical extension"
>
> The piece of code involved is in
> crypto/x509/x509_vfy.c::check_chain_purpose
>
> if (!(ctx->flags & X509_V_FLAG_IGNORE_CRITICAL)
> && (x->ex_flags & EXFLAG_CRITICAL))
> {
> ctx->error = X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION;
> ctx->error_depth = i;
> ctx->current_cert = x;
> ok=cb(0,ctx);
> if (!ok) goto end;
> }
>
> There is the flag X509_V_FLAG_IGNORE_CRITICAL which can be set when
> creating the SSL context, unfortunately, mod_ssl does not support any
> options related to context flags in its configuration, thus it of course
> fails during authentication with the message above.
>
> Is there any interest in adding SSL context options to mod_ssl, and if
> yes, what is the recommended way if it has been thought ?
Its a pretty dumb idea to ignore critical extensions, so I don't think
this sounds like a great idea...
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
Re: mod_ssl and critical extensions
Posted by Stephane Bailliez <sb...@apache.org>.
Hi Ben,
Thanks for your reply. Comments follow:
Ben Laurie wrote:
>> The CA is created with the authority key identifier set as a critical
>> extension.
>>
>> OpenSSL (including 0.9.7g) chokes (voluntarily) on critical extensions
>> and as a default issue an error such as "Certificate Verification:
>> Error (34): unhandled critical extension"
[...]
>> There is the flag X509_V_FLAG_IGNORE_CRITICAL which can be set when
>> creating the SSL context, unfortunately, mod_ssl does not support any
>> options related to context flags in its configuration, thus it of
>> course fails during authentication with the message above.
>>
>> Is there any interest in adding SSL context options to mod_ssl, and if
>> yes, what is the recommended way if it has been thought ?
>
>
> Its a pretty dumb idea to ignore critical extensions, so I don't think
> this sounds like a great idea...
I have been reading RFC 3280 says in section 4.2:
Each extension in a
certificate is designated as either critical or non-critical. A
certificate using system MUST reject the certificate if it encounters
a critical extension it does not recognize; however, a non-critical
extension MAY be ignored if it is not recognized. The following
sections present recommended extensions used within Internet
certificates and standard locations for information. Communities may
elect to use additional extensions; however, caution ought to be
exercised in adopting any critical extensions in certificates which
might prevent use in a general context.
About my case, RFC 3280 make it clear that the authority key identifier
must not be marked critical (4.2.1.1), so this is one is solved anyway.
Cheers,
Stephane