Workaround for bug with FakeBasicAuth

I've been trying to get Client cert authentication to work with mod_ssl
2.8.4-8 and have everything working bar directory listings. Apparently this
is a bug that goes back over a year now?

Anyway, I think I have a workaround.

Instead of using FakeBasicAuth, I instead use SSLRequire, and change
CustomLog to "fake" the auth entry:

i.e.

LogFormat "%h %l %u %t \"%r\" ....." standard
LogFormat "%h %l SSL:%{SSL_CLIENT_S_DN_EMAIL}e %t \"%r\" ..." ssl-standard

CustomLog /log/access_log standard
#Override the CustomLog setting for valid SSL Client Certs
CustomLog /log/access_log ssl-standard env=SSL_CLIENT_S_DN_EMAIL


SSLRequireSSL
SSLVerifyClient require
SSLVerifyDepth 1
SSLOptions +StrictRequire +ExportCertData +CompatEnvVars +StdEnvVars
SSLBanCipher NULL-MD5 NULL-SHA
SSLRequire %{SSL_CLIENT_S_DN_OU} in {"our dep"}
Options none Indexes FollowSymlinks SymLinksIfOwnerMatch
AllowOverride None
order allow,deny
allow from all


The only concern I have is that I had to set +StdEnvVars in order to get
SSL_CLIENT_S_DN_EMAIL into the environment. Can I access that some other
way, or is the extra load of adding the env vars not bad enough to be
concerned about?

Also, if anyone thinks that's not going to operate the way I think it should
(i.e. only allow OU="our dep" access) please let me know :-)

Thanks

--
Cheers

Jason Haar

Information Security Manager
Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org