httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David (Dave) Donnan" <david.don...@thalesgroup.com>
Subject Re: [users@httpd] SSL_CLIENT_S_DN_UID not available with client certificate authentication
Date Tue, 02 Mar 2010 09:45:27 GMT
Oups, upon closer inspection of the BUG found here:       
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

I see the following at the bottom:

    This issue was fixed in 2.2.x branch with r811812
    <https://svn.apache.org/viewcvs.cgi?view=rev&rev=811812> and will
    ship with httpd 2.2.14.

Assuming the BUG is, in fact, my problem I'll wait and test with 2.2.14.

Sorry, I was testing with 2.2.13.

Cdlt, Dave
----

David (Dave) Donnan wrote:
> Hello and thanks for all your help in the past.
>
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I 
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to 
> participate actively in the future.
>
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've 
> configured httpd for client-side certificate authentication.
>
> Once authenticated, I have the following CGI environment variables:
>
>     SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
>     David/emailAddress=david.donnan@<company>.com/UID=T1234567
>
>     SSL_CLIENT_S_DN_CN = DONNAN David
>
>     SSL_CLIENT_S_DN_Email = david.donnan@<company>.com
>
>     SSL_CLIENT_S_DN_O = <organization>
>
>     ...
>
> However, the following variable is not instantiated :
>
>     SSL_CLIENT_S_DN_UID
>
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
>
> Q1. Can anyone help me instantiate this variable - is there further 
> apache HTTPD configuration to be done ?
>
> _/*Notes:*/_
>
> 1. Last summer I thought the problem was related to the following BUG 
> and so I put this project on hold:
>
>     https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
>
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
>
> 2. In the past I've had a similar problem with openSSL where I must 
> manually change openssl.cnf as follows:
>
>     [ new_oids ]
>
>     # We can add new OIDs in here for use by 'ca' and 'req'.
>     # Add a simple OID like this:
>     # testoid1=1.2.3.4
>     # Or use config file substitution like this:
>     # testoid2=${testoid1}.5.6
>     # Following line added by DD Summer 2007
>     uid=0.9.2342.19200300.100.1.1
>
> Reference:      
> http://www.openldap.org/lists/openldap-software/200309/msg00422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
>
> Q2. Is this related, perhaps ?
>
> 3. /etc/httpd/conf.d/ssl.conf
>
>     Listen 0.0.0.0:443
>     AddType application/x-x509-ca-cert .crt
>     AddType application/x-pkcs7-crl    .crl
>     SSLPassPhraseDialog  builtin
>     SSLSessionCache        none
>     SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
>     SSLSessionCacheTimeout  20
>     # SSLMutex  file:logs/ssl_mutex
>     SSLMutex  default
>     SSLRandomSeed startup builtin
>     SSLRandomSeed connect builtin
>     SSLCryptoDevice builtin
>     <VirtualHost _default_:443>
>     ErrorLog logs/ssl_error_log
>     TransferLog logs/ssl_access_log
>     SSLEngine on
>     SSLCipherSuite
>     ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>     SSLCertificateFile /etc/httpd/conf/<hostname>.pem
>     SSLCertificateKeyFile  /etc/httpd/conf/<hostname>.key
>     # SSLCACertificateFile /etc/httpd/conf/ca.pem
>     SSLCACertificateFile /etc/httpd/conf/<name>.pem
>     SSLVerifyClient require
>     SSLVerifyDepth  10
>     # SSLUserName SSL_CLIENT_S_DN_Email
>     SSLUserName SSL_CLIENT_S_DN
>     # SSLUserName SSL_CLIENT_S_DN_CN
>     # SSLUserName SSL_CLIENT_S_DN_UID
>     # SSLUserName SSL_CLIENT_S_DN_NID_userId
>     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>         SSLOptions +StdEnvVars
>     </Files>
>     <Directory "/var/www/cgi-bin">
>         SSLOptions +StdEnvVars
>     </Directory>
>     SetEnvIf User-Agent ".*MSIE.*" \
>              nokeepalive ssl-unclean-shutdown \
>              downgrade-1.0 force-response-1.0
>     CustomLog logs/ssl_request_log \
>               "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>     </VirtualHost>
>
> 4. test:cgi
>
>     #!/usr/bin/perl
>
>        print "Content-type: text/html\n\n";
>        print "<tt>\n";
>        foreach $key (sort keys(%ENV)) {
>           print "$key = $ENV{$key}<p>";
>        }
>
>
> Any help would be greatly appreciated, thanks, Dave
> ----- 


Mime
View raw message