httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David (Dave) Donnan" <david.don...@thalesgroup.com>
Subject [users@httpd] SSL_CLIENT_S_DN_UID not available with client certificate authentication
Date Mon, 01 Mar 2010 15:51:34 GMT
Hello and thanks for all your help in the past.

I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I 
really appreciate any help that you can give me. It's incredible to see
this community helping each other (for FREE !) and I intend to 
participate actively in the future.

I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've 
configured httpd for client-side certificate authentication.

Once authenticated, I have the following CGI environment variables:

    SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
    David/emailAddress=david.donnan@<company>.com/UID=T1234567

    SSL_CLIENT_S_DN_CN = DONNAN David

    SSL_CLIENT_S_DN_Email = david.donnan@<company>.com

    SSL_CLIENT_S_DN_O = <organization>

    ...

However, the following variable is not instantiated :

    SSL_CLIENT_S_DN_UID

Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!

Q1. Can anyone help me instantiate this variable - is there further 
apache HTTPD configuration to be done ?

_/*Notes:*/_

1. Last summer I thought the problem was related to the following BUG 
and so I put this project on hold:

    https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

Hence why I've waited for Fedora 12 where they say the above BUG is fixed.

2. In the past I've had a similar problem with openSSL where I must 
manually change openssl.cnf as follows:

    [ new_oids ]

    # We can add new OIDs in here for use by 'ca' and 'req'.
    # Add a simple OID like this:
    # testoid1=1.2.3.4
    # Or use config file substitution like this:
    # testoid2=${testoid1}.5.6
    # Following line added by DD Summer 2007
    uid=0.9.2342.19200300.100.1.1

Reference:      
http://www.openldap.org/lists/openldap-software/200309/msg00422.html
BIG thanks to Jeff Warnica for the OpenSSL solution.

Q2. Is this related, perhaps ?

3. /etc/httpd/conf.d/ssl.conf

    Listen 0.0.0.0:443
    AddType application/x-x509-ca-cert .crt
    AddType application/x-pkcs7-crl    .crl
    SSLPassPhraseDialog  builtin
    SSLSessionCache        none
    SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
    SSLSessionCacheTimeout  20
    # SSLMutex  file:logs/ssl_mutex
    SSLMutex  default
    SSLRandomSeed startup builtin
    SSLRandomSeed connect builtin
    SSLCryptoDevice builtin
    <VirtualHost _default_:443>
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    SSLEngine on
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
    SSLCertificateFile /etc/httpd/conf/<hostname>.pem
    SSLCertificateKeyFile  /etc/httpd/conf/<hostname>.key
    # SSLCACertificateFile /etc/httpd/conf/ca.pem
    SSLCACertificateFile /etc/httpd/conf/<name>.pem
    SSLVerifyClient require
    SSLVerifyDepth  10
    # SSLUserName SSL_CLIENT_S_DN_Email
    SSLUserName SSL_CLIENT_S_DN
    # SSLUserName SSL_CLIENT_S_DN_CN
    # SSLUserName SSL_CLIENT_S_DN_UID
    # SSLUserName SSL_CLIENT_S_DN_NID_userId
    <Files ~ "\.(cgi|shtml|phtml|php3?)$">
        SSLOptions +StdEnvVars
    </Files>
    <Directory "/var/www/cgi-bin">
        SSLOptions +StdEnvVars
    </Directory>
    SetEnvIf User-Agent ".*MSIE.*" \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request_log \
              "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
    </VirtualHost>

4. test:cgi

    #!/usr/bin/perl

       print "Content-type: text/html\n\n";
       print "<tt>\n";
       foreach $key (sort keys(%ENV)) {
          print "$key = $ENV{$key}<p>";
       }


Any help would be greatly appreciated, thanks, Dave
-----

Mime
View raw message