New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add SSL_{CLIENT,SERVER}_B64CERT #177
Conversation
modules/ssl/ssl_engine_vars.c
Outdated
@@ -71,6 +76,21 @@ static int ssl_is_https(conn_rec *c) | |||
return sslconn && sslconn->ssl; | |||
} | |||
|
|||
#if APR_VERSION_AT_LEAST(1,7,0) | |||
static const char *ssl_var_lookup_ssl_cert_b64url(apr_pool_t *p, X509 *xs) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The function name is wrong now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot for the review!
} | ||
#if APR_VERSION_AT_LEAST(1,7,0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this still require APR 1.7.0+?
modules/ssl/ssl_engine_kernel.c
Outdated
|
||
val = ssl_var_lookup(r->pool, r->server, r->connection, | ||
r, "SSL_CLIENT_B64CERT"); | ||
apr_table_setn(env, "SSL_CLIENT_B64CERT", val); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I still miss the entire chain for the sake of completeness.
@@ -356,6 +356,7 @@ APLOG_USE_MODULE(ssl); | |||
#define SSL_OPT_STRICTREQUIRE (1<<5) | |||
#define SSL_OPT_OPTRENEGOTIATE (1<<6) | |||
#define SSL_OPT_LEGACYDNFORMAT (1<<7) | |||
#define SSL_OPT_EXPORTCB64DATA (1<<8) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't this rather read SSL_OPT_EXPORTBASE64CERTDATA
?
server/client cert. PR: 65169 Switch to plain base64 encoding. Add +ExportBase64CertData flag for SSLOptions to enable export of SSL_{CLIENT,SERVER}_B64CERT. Use plain base64 for the SSL_{SERVER,CLIENT}_B64CERT encoding.
modules/ssl/ssl_engine_vars.c
Outdated
@@ -477,7 +477,7 @@ static const char *ssl_var_lookup_ssl(apr_pool_t *p, const SSLConnRec *sslconn, | |||
sk = SSL_get_peer_cert_chain(ssl); | |||
result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18, 1); | |||
} | |||
else if (ssl != NULL && strlen(var) > 18 && strcEQn(var, "CLIENT_B64CERT_CHAIN_", 18)) { | |||
else if (ssl != NULL && strlen(var) > 21 && strcEQn(var, "CLIENT_B64CERT_CHAIN_", 21)) { | |||
sk = SSL_get_peer_cert_chain(ssl); | |||
result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18, 0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
21 here too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would explain why it wasn't working properly. Thank you @michael-o
Add SSL_{CLIENT,SERVER}_B64CERT to export the base64url(DER) of the server/client cert.
PR: 65169