|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2009
/
2009-07
/
Invalid characters in X-SSL-Subject/Issuer
[
ANNOUNCE: Pound - reverse proxy and load balancer ... ]
[
Re: Pound as HTTPS / HTTPS proxy / Heiko ... ]
Invalid characters in X-SSL-Subject/Issuer
Mattias Öhrn <mattias.ohrn(at)gmail.com> |
2009-07-09 09:08:08 |
[ FULL ]
|
Hello,
I have a problem related to the client certificate HTTP headers added by
pound. When the client certificate contains a subject or issuer DN with non
ASCII characters the corresponding header added by Pound (X-SSL-Subject or
X-SSL-Issuer) will get a value that contains invalid characters (e.g. 'Ö' is
encoded as 0x303, 0x226). I think this is incorrect according to RFC 2616.
This has not been a problem until now when we're trying to migrate an
ASP.NET web service to Windows Communication Foundation (WCF). It turns out
that WCF is *very* strict about HTTP headers and if there is one invalid
header it is not possible to access any headers (and we need to retrieve the
certificate from the X-SSL-Certificate header). We don't need the
X-SSL-Subject or X-SSL-Issuer headers but I have not found any way of
choosing what headers should be added by Pound, as I understand it it's all
or nothing. We are using Pound 2.2.7 on CentOS but I've read the change log
for the latest version and could not find any related fixes.
Any suggestions?
Regards,
Mattias
|
|
|
|
|
Re: [Pound Mailing List] Invalid characters in X-SSL-Subject/Issuer
Robert Segall <roseg(at)apsis.ch> |
2009-07-09 18:12:19 |
[ FULL ]
|
On Thu, 2009-07-09 at 09:08 +0200, Mattias Öhrn wrote:[...]
I suggest you check with the OpenSSL people - Pound uses the regular
functions from that package to create the headers.
As an aside, I am not really sure that these headers are illegal - RFC
2616 talks about "octets", which I think should allow for this.[...]
|
|
|
Re: [Pound Mailing List] Invalid characters in X-SSL-Subject/Issuer
Mattias Öhrn <mattias.ohrn(at)gmail.com> |
2009-07-10 09:55:07 |
[ FULL ]
|
Thanks for you reply.
First of all I'd like to know if it is possible to disable X-SSL-Subject and
X-SSL-Issuer headers without disabling the X-SSL-certificate header?
If that's not possible I probably need to determine where the error is.
Here's where I am right now:
The X-SSL-Subject header is definitely UTF-8 encoded (the 'Ö' is encoded as
0xC3 0x96, I was wrong about that in my previous message). This is probably
because the subject DN RDN values are UTF-8 encoded.
Does OpenSSL really build the entire header or is it only used to get the
subject and issuer DNs from the certificate? If it is the latter case I
don't think it is possible to blame OpenSSL.
As for what is a valid HTTP header value, I believe that, after reading RFC
2616 and RFC 2047 more carefully, a header value may contain TEXT which is
defined as any octet except for CTLs (octets 0-31 and 127) but including LWS
(which includes the control character 9, 10, and 13). However, RFC 2616 also
says that
"Words of *TEXT MAY contain characters from character sets other than
ISO-8859-1 only when encoded according to the rules of RFC 2047".
RFC 2047 says that the character set of a header value can be specified by
prefixing the header value with ?charset?. 'Ö' actually does exist in
ISO-8859-1 but it is encoded as 0xD6 and the second of the two octets
produced when UTF-8 encoding the character (i.e. 0x96) is not assigned in
ISO-8859-1. This leads me to believe that the header really is invalid.
Please correct me if I'm wrong.
Regards,
Mattias
On Thu, Jul 9, 2009 at 6:12 PM, Robert Segall <roseg(at)apsis.ch> wrote:
[...]
|
|
|
|
|
|
