SSL_CLIENT_XXX is null

SSL_CLIENT_XXX is null

am 22.05.2006 15:37:53 von fsoumil

Hi all,

First of all, thanks for the very good job with openssl. It really rocks !=
!

Now my question:
I'm trying to setup strong authentication via client certificate (belgian e=
id).
You can see my apache config

NameVirtualHost *

=09ServerAdmin webmaster@localhost
=09
=09DocumentRoot /var/www/

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLCertificateKeyFile /etc/apache2/ssl/apache.pem
SSLVerifyClient optional_no_ca
SSLVerifyDepth 5
SSLCACertificateFile /etc/apache2/ssl/BelgiumRootCA.pem
SSLOptions +FakeBasicAuth +ExportCertData +StdEnvVars +CompatEnvVars
# SSLUserName SSL_CLIENT_S_DN_CN
RequestHeader set SSL_CLIENT_DN %{SSL_CLIENT_DN}e
RequestHeader set SSL_CLIENT_S_DN %{SSL_CLIENT_S_DN}e
RequestHeader set SSL_CLIENT_S_DN_CN %{SSL_CLIENT_S_DN_CN}e
RequestHeader set SSL_CLIENT_S_DN_S %{SSL_CLIENT_S_DN_S}e
RequestHeader set SSL_SERVER_S_DN %{SSL_SERVER_S_DN}e
RequestHeader set SSL_PROTOCOL %{SSL_PROTOCOL}e
RequestHeader set MyHeader "coucou"

=09
Options FollowSymLinks
AllowOverride None
=09
=09
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
# This directive allows us to have apache2's default start page
# in /apache2-default/, but still have / go to the right pl=
ace
# Commented out for Ubuntu
#RedirectMatch ^/$ /apache2-default/
=09

=09ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
=09
AllowOverride None
Options ExecCGI -MultiViews +SymLinksIfOwnerMatch
Order allow,deny
Allow from all
=09

=09ErrorLog /var/log/apache2/error.log

=09# Possible values include: debug, info, notice, warn, error, crit,
=09# alert, emerg.
=09LogLevel info

=09CustomLog /var/log/apache2/access.log combined
=09ServerSignature On

Alias /doc/ "/usr/share/doc/"

Options Indexes MultiViews FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
Allow from 127.0.0.0/255.0.0.0 ::1/128



I've a small PHP script that dumps all the HTTP headers. All the HTTP
headers about the cient (SSL_CLIENT_XXX) contain (null) while
SSL_SERVER_S_DN and SSL_PROTOCOL are successfully populated.
What's wrong with what I've done.
I use my belgian eid on other website so the root cause is not at the
client side. I also include my error.log that can maybe help you. It
looks ok expect for the timeout but I don't know if I have to care
about it.

[Mon May 22 15:23:12 2006] [notice] Apache/2.0.54 (Ubuntu)
PHP/5.0.5-2ubuntu1.2 mod_ssl/2.0.54 OpenSSL/0.9.7g configured --
resuming normal operations
[Mon May 22 15:23:20 2006] [info] Connection to child 0 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:20 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:20 2006] [info] Initial (No.1) HTTPS request
received for child 0 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Connection to child 0 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Connection to child 1 established
(server localhost.localdomain:443, client 127.0.0.1)
[Mon May 22 15:23:27 2006] [info] Seeding PRNG with 136 bytes of entropy
[Mon May 22 15:23:27 2006] [info] Initial (No.1) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:27 2006] [info] Subsequent (No.2) HTTPS request
received for child 1 (server localhost.localdomain:443)
[Mon May 22 15:23:42 2006] [info] (70007)The timeout specified has
expired: SSL input filter read failed.
[Mon May 22 15:23:42 2006] [info] Connection to child 1 closed with
standard shutdown(server localhost.localdomain:443, client 127.0.0.1)

Thanks in advance for your help

Fran=E7ois
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org