FYI. This is a BUG with HTTP:
The problem was related to a
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 and so I put this
project on hold while waiting for Fedora 13 (with httpd-2.2.14) where they
say the HTTPD BUG is fixed.
------
I simply couldn't wait until April 2010 (Fedora 13 with httpd-2.2.14 )
so I used
an unofficial copy of httpd-2.2.14 on Fedora 12 (and related RPMs) found
here:
[http://hany.sk/~hany/RPM/f-updates-12-i386/httpd-2.2.14-1.fc12.i686.html]
I then installed with the force option of RPM:
{code}
[root@James fc12]# ls -tlar
total 1884
drwxr-xr-x. 5 4096 2010-03-02 12:18 ..
-rw-rw-r--. 1 822820 2010-03-02 12:18 httpd-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 146000 2010-03-02 12:18 httpd-devel-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 67880 2010-03-02 12:18 httpd-tools-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 85620 2010-03-02 12:18 mod_ssl-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 787852 2010-03-02 12:18 httpd-manual-2.2.14-1.fc12.noarch.rpm
rpm -iv --force *
[root@James fc12]# rpm -qa | grep httpd | sort
httpd-2.2.13-4.fc12.i686
httpd-2.2.14-1.fc12.i686
httpd-devel-2.2.13-4.fc12.i686
httpd-devel-2.2.14-1.fc12.i686
httpd-manual-2.2.13-4.fc12.noarch
httpd-manual-2.2.14-1.fc12.noarch
httpd-tools-2.2.13-4.fc12.i686
httpd-tools-2.2.14-1.fc12.i686}}
{code}
Dirty, but it works.
------
David (Dave) Donnan wrote:
>
> Hello and thanks for all your help in the past.
>
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to
> participate actively in the future.
>
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
> configured httpd for client-side certificate authentication.
>
> Once authenticated, I have the following CGI environment variables:
>
> SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
> David/emailAddress=david.donnan@<company>.com/UID=T1234567
>
> SSL_CLIENT_S_DN_CN = DONNAN David
>
> SSL_CLIENT_S_DN_Email = david.donnan@<company>.com
>
> SSL_CLIENT_S_DN_O = <organization>
>
> ...
>
> However, the following variable is not instantiated :
>
> SSL_CLIENT_S_DN_UID
>
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
>
> Q1. Can anyone help me instantiate this variable - is there further
> apache HTTPD configuration to be done ?
>
> _/*Notes:*/_
>
> 1. Last summer I thought the problem was related to the following BUG
> and so I put this project on hold:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
>
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
>
> 2. In the past I've had a similar problem with openSSL where I must
> manually change openssl.cnf as follows:
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca' and 'req'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
> # Following line added by DD Summer 2007
> uid=0.9.2342.19200300.100.1.1
>
> Reference:
> http://www.openldap.org/lists/openldap-software/200309/msg00422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
>
> Q2. Is this related, perhaps ?
>
> 3. /etc/httpd/conf.d/ssl.conf
>
> Listen 0.0.0.0:443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache none
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 20
> # SSLMutex file:logs/ssl_mutex
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
> <VirtualHost _default_:443>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/<hostname>.pem
> SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key
> # SSLCACertificateFile /etc/httpd/conf/ca.pem
> SSLCACertificateFile /etc/httpd/conf/<name>.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
> # SSLUserName SSL_CLIENT_S_DN_Email
> SSLUserName SSL_CLIENT_S_DN
> # SSLUserName SSL_CLIENT_S_DN_CN
> # SSLUserName SSL_CLIENT_S_DN_UID
> # SSLUserName SSL_CLIENT_S_DN_NID_userId
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
>
> 4. test:cgi
>
> #!/usr/bin/perl
>
> print "Content-type: text/html\n\n";
> print "<tt>\n";
> foreach $key (sort keys(%ENV)) {
> print "$key = $ENV{$key}<p>";
> }
>
>
> Any help would be greatly appreciated, thanks, Dave
> -----
>
>
--
View this message in context: http://old.nabble.com/-users%40httpd--SSL_CLIENT_S_DN_UID-not-available-with-client-certificate-authentication-tp27745302p27985263.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|