Return-Path: 
 <users-return-94229-apmail-httpd-users-archive=httpd.apache.org@httpd.apache.org>
Delivered-To: apmail-httpd-users-archive@www.apache.org
Received: (qmail 30199 invoked from network); 22 Mar 2010 11:51:36 -0000
Received: from unknown (HELO mail.apache.org) (140.211.11.3)
  by 140.211.11.9 with SMTP; 22 Mar 2010 11:51:36 -0000
Received: (qmail 68830 invoked by uid 500); 22 Mar 2010 11:51:33 -0000
Delivered-To: apmail-httpd-users-archive@httpd.apache.org
Received: (qmail 68761 invoked by uid 500); 22 Mar 2010 11:51:33 -0000
Mailing-List: contact users-help@httpd.apache.org; run by ezmlm
Precedence: bulk
Reply-To: users@httpd.apache.org
list-help: <mailto:users-help@httpd.apache.org>
list-unsubscribe: <mailto:users-unsubscribe@httpd.apache.org>
List-Post: <mailto:users@httpd.apache.org>
List-Id: <users.httpd.apache.org>
Delivered-To: mailing list users@httpd.apache.org
Received: (qmail 68753 invoked by uid 99); 22 Mar 2010 11:51:33 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Mar 2010 11:51:33 +0000
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=FORGED_HOTMAIL_RCVD2,FREEMAIL_FROM,SPF_HELO_PASS,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of lists@nabble.com designates
 216.139.236.158 as permitted sender)
Received: from [216.139.236.158] (HELO kuber.nabble.com) (216.139.236.158)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 22 Mar 2010 11:51:28 +0000
Received: from isper.nabble.com ([192.168.236.156])
	by kuber.nabble.com with esmtp (Exim 4.63)
	(envelope-from <lists@nabble.com>)
	id 1Ntg9z-0001pC-JL
	for users@httpd.apache.org; Mon, 22 Mar 2010 04:51:07 -0700
Message-ID: <27985263.post@talk.nabble.com>
Date: Mon, 22 Mar 2010 04:51:07 -0700 (PDT)
From: lambam80 <lambam80@hotmail.com>
To: users@httpd.apache.org
In-Reply-To: <4B8BE286.1010806@thalesgroup.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Nabble-From: lambam80@hotmail.com
References: <4B8BE286.1010806@thalesgroup.com>
Subject: Re: [users@httpd] SSL_CLIENT_S_DN_UID not available with client
 certificate authentication


FYI. This is a BUG with HTTP:

The problem was related to a
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 and so I put this
project on hold while waiting for Fedora 13 (with  httpd-2.2.14) where they
say the HTTPD BUG is fixed.
------
I simply couldn't wait until April 2010 (Fedora 13 with&nbsp; httpd-2.2.14 )
so I used 
an unofficial copy of httpd-2.2.14 on Fedora 12 (and related RPMs) found
here:&nbsp;

&nbsp;[http://hany.sk/~hany/RPM/f-updates-12-i386/httpd-2.2.14-1.fc12.i686.html]

I then installed with the force option of RPM:
{code}
[root@James fc12]# ls -tlar

total 1884
drwxr-xr-x. 5   4096 2010-03-02 12:18 ..
-rw-rw-r--. 1 822820 2010-03-02 12:18 httpd-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1  146000 2010-03-02 12:18 httpd-devel-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1  67880 2010-03-02 12:18 httpd-tools-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1   85620 2010-03-02 12:18 mod_ssl-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1  787852 2010-03-02 12:18 httpd-manual-2.2.14-1.fc12.noarch.rpm

rpm -iv --force  *

[root@James fc12]# rpm -qa | grep httpd | sort

httpd-2.2.13-4.fc12.i686
httpd-2.2.14-1.fc12.i686
httpd-devel-2.2.13-4.fc12.i686
httpd-devel-2.2.14-1.fc12.i686
httpd-manual-2.2.13-4.fc12.noarch
httpd-manual-2.2.14-1.fc12.noarch
httpd-tools-2.2.13-4.fc12.i686
httpd-tools-2.2.14-1.fc12.i686}}
{code}

Dirty, but it works.
------


David (Dave) Donnan wrote:
> 
> Hello and thanks for all your help in the past.
> 
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I 
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to 
> participate actively in the future.
> 
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've 
> configured httpd for client-side certificate authentication.
> 
> Once authenticated, I have the following CGI environment variables:
> 
>     SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
>     David/emailAddress=david.donnan@<company>.com/UID=T1234567
> 
>     SSL_CLIENT_S_DN_CN = DONNAN David
> 
>     SSL_CLIENT_S_DN_Email = david.donnan@<company>.com
> 
>     SSL_CLIENT_S_DN_O = <organization>
> 
>     ...
> 
> However, the following variable is not instantiated :
> 
>     SSL_CLIENT_S_DN_UID
> 
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
> 
> Q1. Can anyone help me instantiate this variable - is there further 
> apache HTTPD configuration to be done ?
> 
> _/*Notes:*/_
> 
> 1. Last summer I thought the problem was related to the following BUG 
> and so I put this project on hold:
> 
>     https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
> 
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
> 
> 2. In the past I've had a similar problem with openSSL where I must 
> manually change openssl.cnf as follows:
> 
>     [ new_oids ]
> 
>     # We can add new OIDs in here for use by 'ca' and 'req'.
>     # Add a simple OID like this:
>     # testoid1=1.2.3.4
>     # Or use config file substitution like this:
>     # testoid2=${testoid1}.5.6
>     # Following line added by DD Summer 2007
>     uid=0.9.2342.19200300.100.1.1
> 
> Reference:      
> http://www.openldap.org/lists/openldap-software/200309/msg00422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
> 
> Q2. Is this related, perhaps ?
> 
> 3. /etc/httpd/conf.d/ssl.conf
> 
>     Listen 0.0.0.0:443
>     AddType application/x-x509-ca-cert .crt
>     AddType application/x-pkcs7-crl    .crl
>     SSLPassPhraseDialog  builtin
>     SSLSessionCache        none
>     SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
>     SSLSessionCacheTimeout  20
>     # SSLMutex  file:logs/ssl_mutex
>     SSLMutex  default
>     SSLRandomSeed startup builtin
>     SSLRandomSeed connect builtin
>     SSLCryptoDevice builtin
>     <VirtualHost _default_:443>
>     ErrorLog logs/ssl_error_log
>     TransferLog logs/ssl_access_log
>     SSLEngine on
>     SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
>     SSLCertificateFile /etc/httpd/conf/<hostname>.pem
>     SSLCertificateKeyFile  /etc/httpd/conf/<hostname>.key
>     # SSLCACertificateFile /etc/httpd/conf/ca.pem
>     SSLCACertificateFile /etc/httpd/conf/<name>.pem
>     SSLVerifyClient require
>     SSLVerifyDepth  10
>     # SSLUserName SSL_CLIENT_S_DN_Email
>     SSLUserName SSL_CLIENT_S_DN
>     # SSLUserName SSL_CLIENT_S_DN_CN
>     # SSLUserName SSL_CLIENT_S_DN_UID
>     # SSLUserName SSL_CLIENT_S_DN_NID_userId
>     <Files ~ "\.(cgi|shtml|phtml|php3?)$">
>         SSLOptions +StdEnvVars
>     </Files>
>     <Directory "/var/www/cgi-bin">
>         SSLOptions +StdEnvVars
>     </Directory>
>     SetEnvIf User-Agent ".*MSIE.*" \
>              nokeepalive ssl-unclean-shutdown \
>              downgrade-1.0 force-response-1.0
>     CustomLog logs/ssl_request_log \
>               "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>     </VirtualHost>
> 
> 4. test:cgi
> 
>     #!/usr/bin/perl
> 
>        print "Content-type: text/html\n\n";
>        print "<tt>\n";
>        foreach $key (sort keys(%ENV)) {
>           print "$key = $ENV{$key}<p>";
>        }
> 
> 
> Any help would be greatly appreciated, thanks, Dave
> -----
> 
> 

-- 
View this message in context: http://old.nabble.com/-users%40httpd--SSL_CLIENT_S_DN_UID-not-available-with-client-certificate-authentication-tp27745302p27985263.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org