What do you mean, elected?

Some of you might have heard about it or seen it on jimjag’s blog: Yes, it is true. I have been elected to the board of the Apache Software Foundation.

I still feel thrilled, scared, stumped and excited at the same time. I will try to pay back this credit of trust during my board term.

apache open source

8 June 2007 | Personal | No Comments

Harmony is needed

The letter.

The FAQ.

apache java open letter sun

10 April 2007 | Code, Netstuff | No Comments

A journey through Maven Land

No, this is not one of my Maven rants, though it could easily be. This is however a short tale on how the Velocity site has been set up using Apache Maven 2 and a number of plugins written for Maven 2.

What I wanted to have is a site that pulls some information out of the Site POM and still uses the Maven 2 Site plugin and the reports to build.

In the end, I wrote for the site

• A Plugin that allows the Maven 2 renderer (Doxia) to render pages generated from Velocity templates (this is after all for the Velocity site…)
• A custom skin to get the look and feel of the old Velocity site, though it is already discusses as “antiquated”. But now it is only a simple matter of changing a CSS file. And generating the site with its own custom skin, allowed us to sneak in a RSS feed that you can subscribe to if you want to keep up to date with Velocity news.
• And finally a plugin that reads an XML formatted news file and builds teaser elements, a news page and (by using the amazing powers of the Rome library) create an RSS 2.0 feed about the news.

Nothing of that stuff is really Velocity specific, though it got created for the Velocity site and will stay here (under site/tools) for a while. Brett suggested the Maven sandbox but having experienced how stuff in Maven land moves like a quagmire in a hail storm, I do not want to put essential site building tools there (yet?).

Ah well, in the progress of that, I learned more about Maven, Plexus, Doxia and the rest of the zoo than I really wanted [1, 2, 3, 4, 5, 6, 7] and in the end I had to rewrite a part of the Doxia Decoration Model to get my reactor built site to get all the links and breadcrumbs right (You never heard of the Doxia Decoration Model? That is not really surprising. There are zero docs about it). But I said that I do not want to rant.

So in the end, yes: The resulting site is satisfying to me and hopefully also to our users. Comments welcome.

apache code maven velocity

13 January 2007 | Code | 1 Comment

When UID is not UID…

So today, I had to juggle with client side certificate authentication. No big deal, one would think. This is 2006, not 1996 and client side certificates are well established. Little did I know. Little did I know…

Our request was, that the certificate contains a number of fields and got signed by our own, in-house CA. This is not a big thing, TinyCA did the job really nicely. Loading the user certs into the browser is no big deal either.

So I set up my Apache webserver (which is 2.0.54 included with Fedora 4):

SSLEngine on
SSLCertificateFile            /etc/pki/tls/certs/server.crt
SSLCertificateKeyFile         /etc/pki/tls/private/server.key
SSLCertificateChainFile       /etc/pki/tls/certs/CA.crt

SSLCACertificateFile          /etc/pki/tls/certs/CA.crt

[...]
<Limit...>
SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/
and %{SSL_CLIENT_I_DN_O} eq "CA Authority" )

SSLVerifyDepth                1
SSLVerifyClient               require
</Limit...>

Hey, it works. Really nice, too. However, now comes the twist. My certificates look like this:


[Wed May 17 13:15:13 2006] [debug] ssl_engine_kernel.c(1166): Certificate Verification: depth: 0, subject: /C=DE/ST=Bayern/L=Nuernberg/O=Company/OU=Company Users/CN=Henning Schmiedehausen/emailAddress=henning@company/UID=henning,
issuer: /C=DE/ST=Bayern/L=Nuremberg/O=CA Authority/OU=Administration/CN=CA/emailAddress=admin@company


Now I wanted to use the certificates to set the user name. With Apache, this is easy:

SSLUserName                   SSL_CLIENT_S_DN_UID

But it does not work! The httpd doesn’t fill out this variable. However, the %{SSL_CLIENT_S_DN} field does contain an oid for userId. But mod_ssl ignores it. What the…?

This is, what my certificate contains:

426:d=3  hl=2 l=  23 cons: SET
428:d=4  hl=2 l=  21 cons: SEQUENCE
430:d=5  hl=2 l=  10 prim: OBJECT            :userId
442:d=5  hl=2 l=   7 prim: PRINTABLESTRING   :henning
451:d=2  hl=4 l= 546 cons: SEQUENCE

This is, what Apache httpd 2.0.x expects from the certificate (in modules/ssl/ssl_engine_vars.c, ~ line 380)

/* This has been removed in OpenSSL 0.9.8-dev. */
#ifdef NID_uniqueIdentifier
{ "UID",   NID_uniqueIdentifier       },
#endif

And OpenSSL 0.9.7f (also Fedora Core 4) tells you

openssl/objects.h:

#define SN_uniqueIdentifier             "UID"
#define LN_uniqueIdentifier             "uniqueIdentifier"
#define NID_uniqueIdentifier            102
#define OBJ_uniqueIdentifier            OBJ_X509,45L

openssl/obj_mac.h:

#define SN_userId               "UID"
#define LN_userId               "userId"
#define NID_userId              458
#define OBJ_userId              OBJ_pilotAttributeType,1L

So I messed up. Not a big problem. UID means “uniqueIdentifier” and is not the same as “userName”. Should be corrected easily?!?

Enter Fedora Core 5 and Apache 2.2…

modules/ssl/ssl_engine_vars.c:

#ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
{ "UID",   NID_x500UniqueIdentifier   },
#else /* old name, OpenSSL < 0.9.7 */
{ "UID",   NID_uniqueIdentifier       },
#endif

openssl/objects.h:

#define SN_uniqueIdentifier             "UID"
#define LN_uniqueIdentifier             "uniqueIdentifier"
#define NID_uniqueIdentifier            102
#define OBJ_uniqueIdentifier            OBJ_X509,45L

openssl/obj_mac.h:

#define LN_x500UniqueIdentifier         "x500UniqueIdentifier"
#define NID_x500UniqueIdentifier                503
#define OBJ_x500UniqueIdentifier                OBJ_X509,45L
#define SN_userId               "UID"
#define LN_userId               "userId"
#define NID_userId              458
#define OBJ_userId              OBJ_pilotAttributeType,1L

So, NID_uniqueIdentifier is different from NID_x500UniqueIdentifier. Which in turn seems to contain a bit string (according to the uniqueIdentifier definition (the 45L in the OBJ_… definition is the same as the 45 oid subtype on that page). And Apache 2.2 uses a different NID_ value, depending whether it is compiled using openssl 0.9.7 or openssl 0.9.8.

And, most of the times, people (and CAs!) will not fill out the uniqueIdentifier field. They will use the userId field (which by the way is documented here. And they will wonder, why their SSL_CLIENT_S_DN_UID fields are never filled out, even though there is an UID in the DN of the certificate.

Is that a bug? You decide. apache client side certificates fedora openssl

17 May 2006 | Code | 1 Comment

ApacheCon 2005

So I just booked the most bizarre flight in my life yet. I’ll be going to San Diego BTW to speak and listen at ApacheCon 2005 US.

However, I will be going NUE - MUC - FRA- SFO - SAN on the outbound and SAN - SFO - LHR - MUC - NUE on the inbound leg. (NUE = Nuremberg airport which is ~ 10 minutes drive from my home. MUC is Munich, FRA is Frankfurt.)

All because the conference is quite close to the christmas holidays this year and getting a direct flight from NUE would have been more than twice as expensive as going from MUC. And a flight from NUE to MUC (which is ~ 80 miles and less than 20 minutes flight time) is cheaper and faster (!) than going by train… And no, this is not “with different air lines” Everything is Lufthansa or Lufthansa, operated by United.

apache apachecon flight lufthansa

21 October 2005 | Personal | No Comments

• Earlier Posts