Mailing List Archive

Use of X509_NAME_oneline in mod_ssl
Hi,

The current mod_ssl uses X509_NAME_oneline to get a one-line ASCII
format of the DN. This however, is not compliant with the RFC -
checkout http://www.openssl.org/support/faq.html#USER13.

Moreover, the man page for X509_NAME_oneline (with OpenSSL 0.9.7x)
says that the function is obsolete, and that we ought to use
X509_NAME_print_ex.

The patch is pretty simple if we want to change mod_ssl to use the RFC
supported style. However, there are probably a lot of users who will
not be happy if we change it abruptly. Hence I propose that we add a
new SSL directive (SSLDNFormat or something like that) which allows
the user to configure the format he likes (default will be the non-RFC
compliant).

The one catch with such a directive is if the customer is using
OpenSSL 0.9.6x - where X509_NAME_print_ex is not available - in which
case, the directive will be dummy.

Any comments.

Thanks
-Madhu
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Fri, Oct 15, 2004 at 10:17:19AM -0700, Madhusudan Mathihalli wrote:
> The current mod_ssl uses X509_NAME_oneline to get a one-line ASCII
> format of the DN. This however, is not compliant with the RFC -
> checkout http://www.openssl.org/support/faq.html#USER13.
>
> Moreover, the man page for X509_NAME_oneline (with OpenSSL 0.9.7x)
> says that the function is obsolete, and that we ought to use
> X509_NAME_print_ex.

The RFC mentioned, RFC2253 is a mapping for DNs into a standard form for
use with LDAP databases. mod_ssl exports DNs for use in FakeBasicAuth,
and in the SSL_*_DN variables (anywhere else too?); I don't see how
these relate to LDAP?

> The patch is pretty simple if we want to change mod_ssl to use the RFC
> supported style. However, there are probably a lot of users who will
> not be happy if we change it abruptly. Hence I propose that we add a
> new SSL directive (SSLDNFormat or something like that) which allows
> the user to configure the format he likes (default will be the non-RFC
> compliant).

Which use of DNs do you want to change? Controlling these disparate uses
of DNs from one config directive sounds confusing.

joe
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Fri, 15 Oct 2004 21:14:16 +0100, Joe Orton <jorton@redhat.com> wrote:
[SNIP]
> > Moreover, the man page for X509_NAME_oneline (with OpenSSL 0.9.7x)
> > says that the function is obsolete, and that we ought to use
> > X509_NAME_print_ex.
>
> The RFC mentioned, RFC2253 is a mapping for DNs into a standard form for
> use with LDAP databases. mod_ssl exports DNs for use in FakeBasicAuth,
> and in the SSL_*_DN variables (anywhere else too?); I don't see how
> these relate to LDAP?

Well.. for one use I have atleast 2 different customers who map the
information retrieved from a client certficate to the LDAP database.
Both of them came back with the same question: Does SSL_CLIENT_S_DN
conform to any known standard. The one standard I know for
representing DN are the 1779 and 2253. Are there any other standards
- if so, please let me know for I'm unaware.

>
> > The patch is pretty simple if we want to change mod_ssl to use the RFC
> > supported style. However, there are probably a lot of users who will
> > not be happy if we change it abruptly. Hence I propose that we add a
> > new SSL directive (SSLDNFormat or something like that) which allows
> > the user to configure the format he likes (default will be the non-RFC
> > compliant).
>
> Which use of DNs do you want to change? Controlling these disparate uses
> of DNs from one config directive sounds confusing.

Okay - what do you suggest ?

Thanks
-Madhu
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
At 12:17 PM 10/15/2004, Madhusudan Mathihalli wrote:
>Hi,
>
> The current mod_ssl uses X509_NAME_oneline to get a one-line ASCII
>format of the DN. This however, is not compliant with the RFC -
>checkout http://www.openssl.org/support/faq.html#USER13.

Could you do us all a small flavor, give us examples of what
the SSL_*_DN would contain with the old and new formats?

Thanks,

Bill
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Fri, Oct 15, 2004 at 03:41:59PM -0700, Madhusudan Mathihalli wrote:
> Well.. for one use I have atleast 2 different customers who map the
> information retrieved from a client certficate to the LDAP database.
> Both of them came back with the same question: Does SSL_CLIENT_S_DN
> conform to any known standard. The one standard I know for
> representing DN are the 1779 and 2253. Are there any other standards
> - if so, please let me know for I'm unaware.

As far as I'm aware, it's just a convention adopted by OpenSSL.

> > > The patch is pretty simple if we want to change mod_ssl to use the RFC
> > > supported style. However, there are probably a lot of users who will
> > > not be happy if we change it abruptly. Hence I propose that we add a
> > > new SSL directive (SSLDNFormat or something like that) which allows
> > > the user to configure the format he likes (default will be the non-RFC
> > > compliant).
> >
> > Which use of DNs do you want to change? Controlling these disparate uses
> > of DNs from one config directive sounds confusing.
>
> Okay - what do you suggest ?

Changing just the _DN variable format with a config directive sounds OK.
Adding new variables would be an alternative, but the names would
probably get *really* ugly...

joe
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Fri, 15 Oct 2004 19:46:20 -0500, William A. Rowe, Jr.
<wrowe@rowe-clan.net> wrote:
> At 12:17 PM 10/15/2004, Madhusudan Mathihalli wrote:
> >Hi,
> >
> > The current mod_ssl uses X509_NAME_oneline to get a one-line ASCII
> >format of the DN. This however, is not compliant with the RFC -
> >checkout http://www.openssl.org/support/faq.html#USER13.
>
> Could you do us all a small flavor, give us examples of what
> the SSL_*_DN would contain with the old and new formats?
>

Sure.. The current format is:
SSL_CLIENT_S_DN:
/C=US/ST=CA/L=Cupertino/O=ABC, XYZ/OU=Apache/CN=madhu

In the new format, I'd expect it to be (please note that i have not
yet implemented - so, I might be wrong on the exact format):

SSL_CLIENT_S_DN:
CN=madhu,OU=Apache,O=ABC \,XYZ,L=Cupertino,ST=CA,C=US

The RFC (http://www.faqs.org/rfcs/rfc2253.html) has some more examples.

Thanks
-Madhu
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Sat, 16 Oct 2004 07:58:57 +0100, Joe Orton <jorton@redhat.com> wrote:
> Changing just the _DN variable format with a config directive sounds OK.
> Adding new variables would be an alternative, but the names would
> probably get *really* ugly...
>
That is correct - I should've been more clear in my mail. What I
really meant was to give options like
DNFormat SSL_SERVER_S_DN default
DNFormat SSL_CLIENT_S_DN rfc2253

This way, users can easily configure different output formats for the
DN based on their requirements.

Thanks
-Madhu
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Wed, Oct 20, 2004 at 12:13:14AM -0700, Madhusudan Mathihalli wrote:
> On Sat, 16 Oct 2004 07:58:57 +0100, Joe Orton <jorton@redhat.com> wrote:
> > Changing just the _DN variable format with a config directive sounds OK.
> > Adding new variables would be an alternative, but the names would
> > probably get *really* ugly...
> >
> That is correct - I should've been more clear in my mail. What I
> really meant was to give options like
> DNFormat SSL_SERVER_S_DN default
> DNFormat SSL_CLIENT_S_DN rfc2253

Actually I do wonder whether just adding new variable names

SSL_{SERVER,CLIENT}_{I,S}_2253DN

is the best way. If you have other modules which are accessing the DNs
directly from ssl_var_lookup you may not want to change the DN format
for them, but you do for some script, or vice versa. Those names aren't
so ugly, and it saves adding more config directives. What do you
reckon?

joe
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Wed, 20 Oct 2004 08:37:01 +0100, Joe Orton <jorton@redhat.com> wrote:
> On Wed, Oct 20, 2004 at 12:13:14AM -0700, Madhusudan Mathihalli wrote:
> > On Sat, 16 Oct 2004 07:58:57 +0100, Joe Orton <jorton@redhat.com> wrote:
> > > Changing just the _DN variable format with a config directive sounds OK.
> > > Adding new variables would be an alternative, but the names would
> > > probably get *really* ugly...
> > >
> > That is correct - I should've been more clear in my mail. What I
> > really meant was to give options like
> > DNFormat SSL_SERVER_S_DN default
> > DNFormat SSL_CLIENT_S_DN rfc2253
>
> Actually I do wonder whether just adding new variable names
>
> SSL_{SERVER,CLIENT}_{I,S}_2253DN
>
> is the best way. If you have other modules which are accessing the DNs
> directly from ssl_var_lookup you may not want to change the DN format
> for them, but you do for some script, or vice versa. Those names aren't
> so ugly, and it saves adding more config directives. What do you
> reckon?
>

Sure - I like the idea.

The one concern is that if we end up exporting both _DN and _2253DN
formats, it'll have a performance impact on Apache. As it stands now,
Apache is around 50% slower than Zeus (even with SPECweb2003).

I'll start working on the patch

Thanks
-Madhu
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Wed, Oct 20, 2004 at 08:50:50AM -0700, Madhusudan Mathihalli wrote:
> The one concern is that if we end up exporting both _DN and _2253DN
> formats, it'll have a performance impact on Apache. As it stands now,
> Apache is around 50% slower than Zeus (even with SPECweb2003).

Is that with +StdEnvVars turned on then?

> I'll start working on the patch

Thanks Madhu.

joe
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Wed, 20 Oct 2004 17:02:19 +0100, Joe Orton <jorton@redhat.com> wrote:
> On Wed, Oct 20, 2004 at 08:50:50AM -0700, Madhusudan Mathihalli wrote:
> > The one concern is that if we end up exporting both _DN and _2253DN
> > formats, it'll have a performance impact on Apache. As it stands now,
> > Apache is around 50% slower than Zeus (even with SPECweb2003).
>
> Is that with +StdEnvVars turned on then?

Good point - I had it turned off. So, my concern is not really a concern :)

Thanks
-Madhu
Re: Use of X509_NAME_oneline in mod_ssl [ In reply to ]
On Oct 20, 2004, at 8:50 AM, Madhusudan Mathihalli wrote:

> The one concern is that if we end up exporting both _DN and _2253DN
> formats, it'll have a performance impact on Apache. As it stands now,
> Apache is around 50% slower than Zeus (even with SPECweb2003).

SPECWeb99 doesn't require any SSL environment vars, so you'd typically
turn that off anyway.

S.

--
sander@temme.net http://www.temme.net/sander/
PGP FP: 51B4 8727 466A 0BC3 69F4 B7B8 B2BE BC40 1529 24AF