diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml
index eb86792..218a840 100644
--- a/docs/manual/mod/mod_ssl.xml
+++ b/docs/manual/mod/mod_ssl.xml
@@ -88,7 +88,6 @@ compatibility variables.
SSL_CLIENT_CERT_CHAIN_ n | string | PEM-encoded certificates in client certificate chain |
SSL_CLIENT_CERT_RFC4523_CEA | string | Serial number and issuer of the certificate. The format matches that of the CertificateExactAssertion in RFC4523 |
SSL_CLIENT_VERIFY | string | NONE , SUCCESS , GENEROUS or FAILED: reason |
-SSL_CLIENT_EXT_KEYUSAGE_ purpose | string | true if certificate has the corresponding purpose otherwise false . |
SSL_SERVER_M_VERSION | string | The version of the server certificate |
SSL_SERVER_M_SERIAL | string | The serial of the server certificate |
SSL_SERVER_S_DN | string | Subject DN in server's certificate |
@@ -102,7 +101,6 @@ compatibility variables.
SSL_SERVER_A_SIG | string | Algorithm used for the signature of server's certificate |
SSL_SERVER_A_KEY | string | Algorithm used for the public key of server's certificate |
SSL_SERVER_CERT | string | PEM-encoded server certificate |
-SSL_SERVER_EXT_KEYUSAGE_ purpose | string | true if certificate has the corresponding purpose otherwise false . |
SSL_SRP_USER | string | SRP username |
SSL_SRP_USERINFO | string | SRP user info |
SSL_TLS_SNI | string | Contents of the SNI TLS extension (if supplied with ClientHello) |
@@ -125,17 +123,6 @@ the SSLOptions directive, the
first (or only) attribute of any DN is added only under a non-suffixed
name; i.e. no _0
suffixed entries are added.
-purpose specifies an extended key usage value either as a
-shortname or as an oid. Shortname are case insensitive. Since dots aren't
-permit on variable name if purpose define an oid all '.'
should
-be replace with '_'
. Theses are all valid values :
-SSL_CLIENT_EXT_KEYUSAGE_clientAuth
,
-SSL_CLIENT_EXT_KEYUSAGE_CLIENTAUTH
,
-SSL_CLIENT_EXT_KEYUSAGE_1_3_6_1_5_5_7_3_2
. RFC5280 stipulate
-that extended key usage extension must be consistent with
-key usage extension but no check of such are done here.
-
-
The format of the *_DN variables has changed in Apache HTTPD
2.3.11. See the LegacyDNStringFormat
option for
SSLOptions for details.
diff --git a/modules/ssl/ssl_engine_vars.c b/modules/ssl/ssl_engine_vars.c
index aecd2d5..413f7fe 100644
--- a/modules/ssl/ssl_engine_vars.c
+++ b/modules/ssl/ssl_engine_vars.c
@@ -43,7 +43,6 @@ static char *ssl_var_lookup_ssl(apr_pool_t *p, conn_rec *c, request_rec *r, char
static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs, char *var);
static char *ssl_var_lookup_ssl_cert_dn(apr_pool_t *p, X509_NAME *xsname, char *var);
static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var);
-static char *ssl_var_lookup_ssl_cert_ext_keyusage(apr_pool_t *p, X509 *xs, char *var);
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm);
static char *ssl_var_lookup_ssl_cert_remain(apr_pool_t *p, ASN1_TIME *tm);
static char *ssl_var_lookup_ssl_cert_serial(apr_pool_t *p, X509 *xs);
@@ -519,9 +518,6 @@ static char *ssl_var_lookup_ssl_cert(apr_pool_t *p, request_rec *r, X509 *xs,
else if (strcEQ(var, "CERT")) {
result = ssl_var_lookup_ssl_cert_PEM(p, xs);
}
- else if (strlen(var) > 13 && strcEQn(var, "EXT_KEYUSAGE_", 13)) {
- result = ssl_var_lookup_ssl_cert_ext_keyusage(p, xs, var+13);
- }
if (resdup)
result = apr_pstrdup(p, result);
@@ -623,35 +619,6 @@ static char *ssl_var_lookup_ssl_cert_san(apr_pool_t *p, X509 *xs, char *var)
return NULL;
}
-static char * ssl_var_lookup_ssl_cert_ext_keyusage(apr_pool_t *p, X509 *xs, char *var)
-{
- char *oid = apr_pcalloc(p, 128);
- EXTENDED_KEY_USAGE *extusage;
-
- if( (extusage = X509_get_ext_d2i(xs, NID_ext_key_usage, NULL, NULL)) ){
- for (int i = 0; i < sk_ASN1_OBJECT_num(extusage); i++) {
- ASN1_OBJECT *obj = sk_ASN1_OBJECT_value(extusage, i);
- int nid = OBJ_obj2nid(obj);
-
- if(apr_strnatcasecmp(var, OBJ_nid2sn(nid)) == 0)
- return "true";
-
- //convert _ into . for oid
- for(int j = 0; var[j]; j++)
- if(var[j] == '_')
- var[j] = '.';
-
- OBJ_obj2txt(oid, 128, obj, 1);
- if(apr_strnatcasecmp(var, oid) == 0)
- return "true";
- }
-
- sk_ASN1_OBJECT_pop_free(extusage, ASN1_OBJECT_free);
- }
-
- return "false";
-}
-
static char *ssl_var_lookup_ssl_cert_valid(apr_pool_t *p, ASN1_TIME *tm)
{
char *result;