Created attachment 32755 [details] patch Hi, I've created a new environment variable in order to test for an extended key usage into a certificate. Like clientAuth on a client certificate authentication for instance. This variable can then be used on a Require directive as follow : Require expr %{SSL_CLIENT_EXT_KEYUSAGE_clientAuth} == "true" Format of the variable name is as follow : SSL_{CLIENT|SERVER}_EXT_KEYUSAGE_purpose Where purpose is either a shortname ( serverAuth, clientAuth etc...) or an oid. Shortname are case insensitive and '.' on oid must be replace with '_'. Here is some valid examples : SSL_CLIENT_EXT_KEYUSAGE_clientAuth SSL_SERVER_EXT_KEYUSAGE_SERVERAUTH SSL_CLIENT_EXT_KEYUSAGE_1_3_6_1_5_5_7_3_2 We may improve the comparison of oid by checking each number one by one instead of converting both var (replace '_' by '.') and obj (convert into char*) and do a strcmp. But I'm not sure if openssl offers another way to get oid other than OBJ_obj2txt(). We may also add the export of all the purpose as variable when +StdEnvVars is set on SSLOptions. Please feel free to give me any feedback about code, patch, documentation etc...