httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From lambam80 <lamba...@hotmail.com>
Subject Re: [users@httpd] SSL_CLIENT_S_DN_UID not available with client certificate authentication
Date Mon, 22 Mar 2010 11:51:07 GMT

FYI. This is a BUG with HTTP:

The problem was related to a
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 and so I put this
project on hold while waiting for Fedora 13 (with  httpd-2.2.14) where they
say the HTTPD BUG is fixed.
------
I simply couldn't wait until April 2010 (Fedora 13 with&nbsp; httpd-2.2.14 )
so I used 
an unofficial copy of httpd-2.2.14 on Fedora 12 (and related RPMs) found
here:&nbsp;

&nbsp;[http://hany.sk/~hany/RPM/f-updates-12-i386/httpd-2.2.14-1.fc12.i686.html]

I then installed with the force option of RPM:
{code}
[root@James fc12]# ls -tlar

total 1884
drwxr-xr-x. 5   4096 2010-03-02 12:18 ..
-rw-rw-r--. 1 822820 2010-03-02 12:18 httpd-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1  146000 2010-03-02 12:18 httpd-devel-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1  67880 2010-03-02 12:18 httpd-tools-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1   85620 2010-03-02 12:18 mod_ssl-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1  787852 2010-03-02 12:18 httpd-manual-2.2.14-1.fc12.noarch.rpm

rpm -iv --force  *

[root@James fc12]# rpm -qa | grep httpd | sort

httpd-2.2.13-4.fc12.i686
httpd-2.2.14-1.fc12.i686
httpd-devel-2.2.13-4.fc12.i686
httpd-devel-2.2.14-1.fc12.i686
httpd-manual-2.2.13-4.fc12.noarch
httpd-manual-2.2.14-1.fc12.noarch
httpd-tools-2.2.13-4.fc12.i686
httpd-tools-2.2.14-1.fc12.i686}}
{code}

Dirty, but it works.
------


David (Dave) Donnan wrote:
> 
> Hello and thanks for all your help in the past.
> 
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I 
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to 
> participate actively in the future.
> 
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've 
> configured httpd for client-side certificate authentication.
> 
> Once authenticated, I have the following CGI environment variables:
> 
>     SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
>     David/emailAddress=david.donnan@<company>.com/UID=T1234567
> 
>     SSL_CLIENT_S_DN_CN = DONNAN David
> 
>     SSL_CLIENT_S_DN_Email = david.donnan@<company>.com
> 
>     SSL_CLIENT_S_DN_O = <organization>
> 
>     ...
> 
> However, the following variable is not instantiated :
> 
>     SSL_CLIENT_S_DN_UID
> 
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
> 
> Q1. Can anyone help me instantiate this variable - is there further 
> apache HTTPD configuration to be done ?
> 
> _/*Notes:*/_
> 
> 1. Last summer I thought the problem was related to the following BUG 
> and so I put this project on hold:
> 
>     https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
> 
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
> 
> 2. In the past I've had a similar problem with openSSL where I must 
> manually change openssl.cnf as follows:
> 
>     [ new_oids ]
> 
>     # We can add new OIDs in here for use by 'ca' and 'req'.
>     # Add a simple OID like this:
>     # testoid1=1.2.3.4
>     # Or use config file substitution like this:
>     # testoid2=${testoid1}.5.6
>     # Following line added by DD Summer 2007
>     uid=0.9.2342.19200300.100.1.1
> 
> Reference:      
> http://www.openldap.org/lists/openldap-software/200309/msg00422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
> 
> Q2. Is this related, perhaps ?
> 
> 3. /etc/httpd/conf.d/ssl.conf
> 
>     Listen 0.0.0.0:443
>     AddType application/x-x509-ca-cert .crt
>     AddType application/x-pkcs7-crl    .crl
>     SSLPassPhraseDialog  builtin
>     SSLSessionCache        none
>     SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
>     SSLSessionCacheTimeout  20
>     # SSLMutex  file:logs/ssl_mutex
>     SSLMutex  default
>     SSLRandomSeed startup builtin
>     SSLRandomSeed connect builtin
>     SSLCryptoDevice builtin
>     <VirtualHost _default_:443>
>     ErrorLog logs/ssl_error_log
>     TransferLog logs/ssl_access_log
>     SSLEngine on
>     SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>     SSLCertificateFile /etc/httpd/conf/<hostname>.pem
>     SSLCertificateKeyFile  /etc/httpd/conf/<hostname>.key
>     # SSLCACertificateFile /etc/httpd/conf/ca.pem
>     SSLCACertificateFile /etc/httpd/conf/<name>.pem
>     SSLVerifyClient require
>     SSLVerifyDepth  10
>     # SSLUserName SSL_CLIENT_S_DN_Email
>     SSLUserName SSL_CLIENT_S_DN
>     # SSLUserName SSL_CLIENT_S_DN_CN
>     # SSLUserName SSL_CLIENT_S_DN_UID
>     # SSLUserName SSL_CLIENT_S_DN_NID_userId
>     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>         SSLOptions +StdEnvVars
>     </Files>
>     <Directory "/var/www/cgi-bin">
>         SSLOptions +StdEnvVars
>     </Directory>
>     SetEnvIf User-Agent ".*MSIE.*" \
>              nokeepalive ssl-unclean-shutdown \
>              downgrade-1.0 force-response-1.0
>     CustomLog logs/ssl_request_log \
>               "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>     </VirtualHost>
> 
> 4. test:cgi
> 
>     #!/usr/bin/perl
> 
>        print "Content-type: text/html\n\n";
>        print "<tt>\n";
>        foreach $key (sort keys(%ENV)) {
>           print "$key = $ENV{$key}<p>";
>        }
> 
> 
> Any help would be greatly appreciated, thanks, Dave
> -----
> 
> 

-- 
View this message in context: http://old.nabble.com/-users%40httpd--SSL_CLIENT_S_DN_UID-not-available-with-client-certificate-authentication-tp27745302p27985263.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message