Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 43941 invoked from network); 21 Jan 2011 10:44:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 21 Jan 2011 10:44:58 -0000 Received: (qmail 49155 invoked by uid 500); 21 Jan 2011 10:44:55 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 48835 invoked by uid 500); 21 Jan 2011 10:44:51 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 48824 invoked by uid 99); 21 Jan 2011 10:44:50 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Jan 2011 10:44:50 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=10.0 tests=FREEMAIL_FROM,RCVD_IN_DNSWL_LOW,RFC_ABUSE_POST,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of tevans.uk@googlemail.com designates 209.85.216.45 as permitted sender) Received: from [209.85.216.45] (HELO mail-qw0-f45.google.com) (209.85.216.45) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Jan 2011 10:44:43 +0000 Received: by qwk4 with SMTP id 4so1639150qwk.18 for ; Fri, 21 Jan 2011 02:44:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=3ESeLgUA3PFksHF3nXP2yD/jy9Od8mcphe44Ufw8gE0=; b=J/fLvCpb6xoDBUqVtKkYs9x9TXXMLqUQgV8GJtPh3Kc+4M2fN3UmJBRpOKgxtL/QaC qxyYSgdd9A2bHmQw0TpOeuDu4aKtVErCX6JMij/PlxO2grfzyMNEkzwVvMANquyJP/Rw oJiPt2TOUHpEN/o1DQ46PjL931D9NyyUqylGc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=RcWXu/RpJGt3gtbWwE035ScwAybOEblFJ5LtYHq7f9/KAgxltiyQylmYH3P3ogZ6og k+FpPlHZTMvCPauXhs/cAPR7D9Y77fka2Xv3KBju4KlVF5LtwX/x/wpRm5PzilLDOv3m Iyj5dtxEq9HdDDYnXPh6Hu5vH1seKE98Fk4Rk= MIME-Version: 1.0 Received: by 10.229.110.10 with SMTP id l10mr434365qcp.56.1295605494308; Fri, 21 Jan 2011 02:24:54 -0800 (PST) Received: by 10.229.24.198 with HTTP; Fri, 21 Jan 2011 02:24:54 -0800 (PST) Date: Fri, 21 Jan 2011 10:24:54 +0000 Message-ID: From: Tom Evans To: users@httpd.apache.org Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org Subject: [users@httpd] mod_ssl, client certificates and r->username Hi all Apache/2.2.17 (FreeBSD) I'm trying to use client certificates to authenticate my few users. I created a self-signed CA, server certificates and user certificates, and installed them in the appropriate places. I then created a vhost: ServerName rc.ketbun.com SSLEngine on SSLCertificateFile /etc/ssl/ketbun/star.ketbun.com/apache.crt SSLCertificateKeyFile /etc/ssl/ketbun/star.ketbun.com/apache.key SSLCACertificateFile /etc/ssl/ketbun/ca.crt SSLVerifyClient require SSLVerifyDepth 1 SSLCARevocationFile /etc/ssl/ketbun/ca.crl SSLOptions +FakeBasicAuth +StdEnvVars RequestHeader set X-Username %{SSL_CLIENT_S_DN_Email}s This all works nicely, and users can only access if they have been issued with keys/certificates and installed them in their browser. However, I can't seem to get any of these details to be logged. Without creating phony .htpasswd files listing all my users with dummy passwords, is there any way to extract an attribute from the client certificate's DN and use that to populate r->username? FakeBasicAuth doesn't seem to want to do anything without the dummy .htpasswd, and whilst I can pass the information easily enough to the webapps without this (adding it as a request header), this doesn't help me get the info into the access logs. Any ideas? Cheers Tom --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org