RE: Incorrect conversion of UTF-8 characters comming from X.509 certificates, please help (Apache Users)

RE: Incorrect conversion of UTF-8 characters comming from X.509 certificates, please help

Date Prev

Date Next

Thread Prev

Thread Next

Date Index

Thread Index

To: <users@xxxxxxxxxxxxxxxx>

Subject: RE: Incorrect conversion of UTF-8 characters comming from X.509 certificates, please help

From: "Thomas, Peter" <pthomas@xxxxxxxx>

Date: Wed, 5 May 2010 15:10:24 -0400

In-reply-to: <COL110-W4380BE6EEDC490E1A04031A7010@xxxxxxx>

Reply-to: users@xxxxxxxxxxxxxxxx

Thread-index: AcrnqV5sIbWJAZ3wSBGufie7tSBWkQE28B2w

Thread-topic: Incorrect conversion of UTF-8 characters comming from X.509 certificates, please help

This may help you; I patched mod_ssl to retrieve the certificate DN in RFC2253 [LDAP-compliant] format, instead of the deprecated method currently used:

--- http-2.2.15-baseline/modules/ssl//ssl_engine_vars.c Sat Feb 27
16:00:58 2010
--- http-2.2.15/modules/ssl//ssl_engine_vars.c Tue Mar 23 14:22:53 2010
@@ -367,10 +367,20 @@
     }
     else if (strcEQ(var, "S_DN")) {
         xsname = X509_get_subject_name(xs);
-        cp = X509_NAME_oneline(xsname, NULL, 0);
-        result = apr_pstrdup(p, cp);
-        modssl_free(cp);
-        resdup = FALSE;
+        BIO *bio;
+        int n;
+
+        if ((bio = BIO_new(BIO_s_mem())) == NULL) {
+            result = NULL;
+        } else {
+            X509_NAME_print_ex(bio, xsname, 0, XN_FLAG_RFC2253);
+            n = BIO_pending(bio);
+            result = apr_pcalloc(p, n+1);
+            n = BIO_read(bio, result, n);
+            result[n] = NUL;
+            BIO_free(bio);
+            resdup = FALSE;
+        }
     }
     else if (strlen(var) > 5 && strcEQn(var, "S_DN_", 5)) {
         xsname = X509_get_subject_name(xs)

See also:

http://mail-archives.apache.org/mod_mbox/httpd-modules-dev/201003.mbox/%3C5045A4D718CAB644BA24979206486B60067A4179@xxxxxxxxxxxxxxxxxxx%3E

From: Luis Neves [mailto:luisneves@xxxxxxxxxxx]
Sent: Thursday, April 29, 2010 10:34 AM
To: users@xxxxxxxxxxxxxxxx
Subject: Incorrect conversion of UTF-8 characters comming from X.509 certificates, please help

Hi there,
I am trying to match the values coming from apache/mod_ssl/mod_authz_ldap against some fields (subjectDN and issuerDN) in an Openldap directory
the problem is that Apache is receiving certificate data that contains UTF8 encoded chars

That chars are being incorrectly encoded with '\x' characters (deprecated source code? bug?) and this is making the effect of mod_authz_ldap failing the query with "bad search filter" error

Here some example data on the ssl_error.log
http://www.mail-archive.com/openssl-users@xxxxxxxxxxx/msg60934.html

I need help on solving this, Iam sucked and dont know what to do to put this thing working
Can someboby help me please?

PS: Im using Apache 2.2.3 on a Centos 5.4, against openldap

Luis

Hotmail: Trusted email with Microsoft’s powerful SPAM protection. Sign up now.