calls r:wsupgrade() can cause a child process crash.
[Edward Lu <Chaosed0 gmail.com>]
+ *) mod_ssl: Add the SSL_CLIENT_CERT_RFC4523_CEA variable, which provides
+ a combination of certificate serialNumber and issuer as defined by
+ CertificateExactMatch in RFC4523. [Graham Leggett]
+
*) suexec: Filter out the HTTP_PROXY environment variable because it is
treated as alias for http_proxy by some programs. [Stefan Fritsch]
<tr><td><code>SSL_CLIENT_A_KEY</code></td> <td>string</td> <td>Algorithm used for the public key of client's certificate</td></tr>
<tr><td><code>SSL_CLIENT_CERT</code></td> <td>string</td> <td>PEM-encoded client certificate</td></tr>
<tr><td><code>SSL_CLIENT_CERT_CHAIN_</code><em>n</em></td> <td>string</td> <td>PEM-encoded certificates in client certificate chain</td></tr>
+<tr><td><code>SSL_CLIENT_CERT_RFC4523_CEA</code></td> <td>string</td> <td>Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523</td></tr>
<tr><td><code>SSL_CLIENT_VERIFY</code></td> <td>string</td> <td><code>NONE</code>, <code>SUCCESS</code>, <code>GENEROUS</code> or <code>FAILED:</code><em>reason</em></td></tr>
<tr><td><code>SSL_SERVER_M_VERSION</code></td> <td>string</td> <td>The version of the server certificate</td></tr>
<tr><td><code>SSL_SERVER_M_SERIAL</code></td> <td>string</td> <td>The serial of the server certificate</td></tr>
static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_chain(apr_pool_t *p, STACK_OF(X509) *sk, char *var);
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl);
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs);
static char *ssl_var_lookup_ssl_cert_verify(apr_pool_t *p, conn_rec *c);
static char *ssl_var_lookup_ssl_cipher(apr_pool_t *p, conn_rec *c, char *var);
sk = SSL_get_peer_cert_chain(ssl);
result = ssl_var_lookup_ssl_cert_chain(p, sk, var+18);
}
+ else if (ssl != NULL && strcEQ(var, "CLIENT_CERT_RFC4523_CEA")) {
+ result = ssl_var_lookup_ssl_cert_rfc4523_cea(p, ssl);
+ }
else if (ssl != NULL && strcEQ(var, "CLIENT_VERIFY")) {
result = ssl_var_lookup_ssl_cert_verify(p, c);
}
return result;
}
+static char *ssl_var_lookup_ssl_cert_rfc4523_cea(apr_pool_t *p, SSL *ssl)
+{
+ char *result;
+ X509 *xs;
+
+ ASN1_INTEGER *serialNumber;
+
+ if (!(xs = SSL_get_peer_certificate(ssl))) {
+ return NULL;
+ }
+
+ result = NULL;
+
+ serialNumber = X509_get_serialNumber(xs);
+ if (serialNumber) {
+ X509_NAME *issuer = X509_get_issuer_name(xs);
+ if (issuer) {
+ BIGNUM *bn = ASN1_INTEGER_to_BN(serialNumber, NULL);
+ char *decimal = BN_bn2dec(bn);
+ result = apr_pstrcat(p, "{ serialNumber ", decimal,
+ ", issuer rdnSequence:\"",
+ SSL_X509_NAME_to_string(p, issuer, 0), "\" }", NULL);
+ OPENSSL_free(decimal);
+ BN_free(bn);
+ }
+ }
+
+ X509_free(xs);
+ return result;
+}
+
static char *ssl_var_lookup_ssl_cert_PEM(apr_pool_t *p, X509 *xs)
{
char *result;
projects / thirdparty / apache / httpd.git / commitdiff
