Re: SSL_CLIENT_S_DN_UID not available with client certificate authentication

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Oups, upon closer inspection of the BUG found here:       https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

I see the following at the bottom:
This issue was fixed in 2.2.x branch with r811812 and will ship with httpd 2.2.14.
Assuming the BUG is, in fact, my problem I'll wait and test with 2.2.14.

Sorry, I was testing with 2.2.13.

Cdlt, Dave
----
David (Dave) Donnan wrote:
Hello and thanks for all your help in the past.

I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I really appreciate any help that you can give me. It's incredible to see
this community helping each other (for FREE !) and I intend to participate actively in the future.

I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've configured httpd for client-side certificate authentication.

Once authenticated, I have the following CGI environment variables:
SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN David/emailAddress=david.donnan@<company>.com/UID=T1234567

SSL_CLIENT_S_DN_CN = DONNAN David

SSL_CLIENT_S_DN_Email = david.donnan@<company>.com

SSL_CLIENT_S_DN_O = <organization>

...

However, the following variable is not instantiated :
SSL_CLIENT_S_DN_UID
Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!

Q1. Can anyone help me instantiate this variable - is there further apache HTTPD configuration to be done ?

Notes:

1. Last summer I thought the problem was related to the following BUG and so I put this project on hold:

    https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

Hence why I've waited for Fedora 12 where they say the above BUG is fixed.

2. In the past I've had a similar problem with openSSL where I must manually change openssl.cnf as follows:
[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Following line added by DD Summer 2007
uid=0.9.2342.19200300.100.1.1

Reference:      http://www.openldap.org/lists/openldap-software/200309/msg00422.html
BIG thanks to Jeff Warnica for the OpenSSL solution.

Q2. Is this related, perhaps ?

3. /etc/httpd/conf.d/ssl.conf

Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl
SSLPassPhraseDialog  builtin
SSLSessionCache        none
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  20
# SSLMutex  file:logs/ssl_mutex
SSLMutex  default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/<hostname>.pem
SSLCertificateKeyFile  /etc/httpd/conf/<hostname>.key
# SSLCACertificateFile /etc/httpd/conf/ca.pem
SSLCACertificateFile /etc/httpd/conf/<name>.pem
SSLVerifyClient require
SSLVerifyDepth  10
# SSLUserName SSL_CLIENT_S_DN_Email
SSLUserName SSL_CLIENT_S_DN
# SSLUserName SSL_CLIENT_S_DN_CN
# SSLUserName SSL_CLIENT_S_DN_UID
# SSLUserName SSL_CLIENT_S_DN_NID_userId
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

4. test:cgi
#!/usr/bin/perl

   print "Content-type: text/html\n\n";
   print "<tt>\n";
   foreach $key (sort keys(%ENV)) {
      print "$key = $ENV{$key}<p>";
   }


Any help would be greatly appreciated, thanks, Dave
-----


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux