Why does Nginx provide a client SSL connection in reverse order?

Question

Why does Nginx provide a client SSL connection in reverse order?

I am curious why some web servers (e.g. Nginx) provide SSL client connections in the reverse order.

The web application sends the DN to the Java web service, which is trying to create Java javax.naming.ldap.LdapName .

Standard order (LDAP or X500Name):

"CN=Jimmy Blooptoop,OU=Someplace,OU=Employees,DC=Bloopsoft-Inc"

Reverse Order (OpenSSL Oneline Format) (What Nginx Returns as _ $ ssl_client_s_dn _):

 "/DC=Bloopsoft-Inc/OU=Employees/OU=Someplace/CN=Jimmy Blooptoop"

Why is this?

Which one matches LDAP RFC?

They are both?

LDAP RFC Notes:

There are many RFCs associated with LDAP: https://www.ldap.com/ldap-specifications-defined-in-rfcs

Many people refer to different ones, here is an attempt at their quick history:

~~July 1993: RFC 1485 - String Representation of Distinguished Names~~
~~March 1995: RFC 1779 - String Representation of Distinguished Names~~
December 1997: RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
September 2002: RFC 3377 - Lightweight Directory Access Protocol (v3): Technical Specification (RFC 2253 Update)
~~March 2003: RFC 3494 - Historical Lightweight Protocol Version 2 (LDAPv2) Access Protocol (Retiring RFC 1485, RFC 1779)~~
June 2006: RFC 4514 . - Lightweight Directory Access Protocol (LDAP). String representation of distinguished names.

Most recent that is deprecated by others: RFC 4514: Lightweight Directory Access Protocol (LDAP): String representation of distinguished names

Java library:

Is there a Java library for converting back and forth (from reverse, and not vice versa)? LdapName throws an InvalidNameException. It seems like the reverse format must often appear.

Java libraries:

javax.naming.ldap.LdapName Supports RFC 2253
org.apache.directory.api.ldap.model.filter.FilterEncoder Supports RFC 4514
Spring LdapUtils Wraps around LdapName
Article about using the BouncyCastle X509Name to analyze and compile DN: http://www.sivachandran.in/2012/11/comparing-x509-distinguished-name-with.html

Ngninx Notes:

http://nginx.org/en/docs/http/ngx_http_ssl_module.html

Link:

+6

java spring-ldap nginx openssl ldap

technocrat Nov 18 '15 at 0:58

source share

1 answer

Ejp · Answer 1 · 2015-12-01T00:46:27+0000

Why is this?

This is because what OpenSSL returns. Apache HTTPD does the same because it also uses OpenSSL.

Which one matches LDAP RFC?

The one you call "standard order." However, this is an SSL certificate and SSL API. It has nothing to do with LDAP, and there is no reason why it should comply with any LDAP RFC. This is just another way of providing the DN of the certificate object. This is determined by X.509, not LDAP (although they are ultimately all defined by X.500, at least initially).

Is there a Java library for converting back and forth (from reverse, not reverse).

Disable the topic, not what I know, but easy enough to write:

 public class OpenSSLSubjectName { private String name; public OpenSSLSubjectName(String name) { this.name = name; } public String getX500Name() throws NamingException { return getLdapName().toString(); } public LdapName getLdapName() throws NamingException { List<Rdn> rdns = new LinkedList<>(); String[] parts = name.split("/"); for (int i = 1; i < parts.length; i++) { rdns.add(new Rdn(parts[i])); } return new LdapName(rdns); } }

E & O.E.

Why does Nginx provide a client SSL connection in reverse order?

More articles: