Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU

Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU

am 07.08.2007 14:25:54 von Arsen Hayrapetyan

Hello,

I am setting up client authentication with X.509 certificates.
The client has the certificate subject DN of the following form:
/C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT
I need to catch both OUs in my perl CGI script. But when I am trying to
get the values of OUs with the foolowing piece of code:

$variable=$ENV{SSL_CLIENT_S_DN_OU};
print "$variable \n";
$variable=$ENV{SSL_CLIENT_S_DN_OU};
print "$variable \n";

both print statements print ZZZ (the first OU).

How can I catch both OUs in my CGI script? Does mod_ssl "see" the first OU
only?

My apache version is 2.0.55. However I don't know the version of mod_ssl.
By the way, how can I determine what version of mod_ssl module do I have?

Thanks for the help in advance,
Arsen.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Multiple OU components in certificate subject DN and SSL_CLIENT_S_DN_OU

am 07.08.2007 15:17:21 von Joe Orton

On Tue, Aug 07, 2007 at 02:25:54PM +0200, Arsen Hayrapetyan wrote:
> Hello,
>
> I am setting up client authentication with X.509 certificates.
> The client has the certificate subject DN of the following form:
> /C=XX/O=YYY/OU=ZZZ/OU=PPP/CN=TTT
> I need to catch both OUs in my perl CGI script. But when I am trying to
> get the values of OUs with the foolowing piece of code:
>
> $variable=$ENV{SSL_CLIENT_S_DN_OU};
> print "$variable \n";
> $variable=$ENV{SSL_CLIENT_S_DN_OU};
> print "$variable \n";
>
> both print statements print ZZZ (the first OU).
>
> How can I catch both OUs in my CGI script? Does mod_ssl "see" the first OU
> only?

It has access to them all, but only exports the first.

If you upgrade to 2.2.x, you could hack ssl_engine_kernel.c by adding:

"SSL_CLIENT_S_DN_OU_0",
"SSL_CLIENT_S_DN_OU_1",

to the ssl_hook_Fixup_vars[] array. This will force the first and
second OU field to be exported to CGI scripts in those named variables.
Note that this won't work with 2.0.x, which doesn't support the _N
suffix.

> My apache version is 2.0.55. However I don't know the version of mod_ssl.
> By the way, how can I determine what version of mod_ssl module do I have?

mod_ssl is integrated into the httpd 2.x tree, so there is no separate
"versino".

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org