SSL_CLIENT_S_DN_UID not available with client certificate authentication
am 01.03.2010 16:51:34 von david.donnan
--------------080703030402070707090907
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Hello and thanks for all your help in the past.
I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
really appreciate any help that you can give me. It's incredible to see
this community helping each other (for FREE !) and I intend to
participate actively in the future.
I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
configured httpd for client-side certificate authentication.
Once authenticated, I have the following CGI environment variables:
SSL_CLIENT_S_DN = /O=/CN=DONNAN
David/emailAddress=david.donnan@.com/UID=T1234567
SSL_CLIENT_S_DN_CN = DONNAN David
SSL_CLIENT_S_DN_Email = david.donnan@.com
SSL_CLIENT_S_DN_O =
...
However, the following variable is not instantiated :
SSL_CLIENT_S_DN_UID
Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
Q1. Can anyone help me instantiate this variable - is there further
apache HTTPD configuration to be done ?
_/*Notes:*/_
1. Last summer I thought the problem was related to the following BUG
and so I put this project on hold:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
2. In the past I've had a similar problem with openSSL where I must
manually change openssl.cnf as follows:
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Following line added by DD Summer 2007
uid=0.9.2342.19200300.100.1.1
Reference:
http://www.openldap.org/lists/openldap-software/200309/msg00 422.html
BIG thanks to Jeff Warnica for the OpenSSL solution.
Q2. Is this related, perhaps ?
3. /etc/httpd/conf.d/ssl.conf
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 20
# SSLMutex file:logs/ssl_mutex
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/.pem
SSLCertificateKeyFile /etc/httpd/conf/.key
# SSLCACertificateFile /etc/httpd/conf/ca.pem
SSLCACertificateFile /etc/httpd/conf/.pem
SSLVerifyClient require
SSLVerifyDepth 10
# SSLUserName SSL_CLIENT_S_DN_Email
SSLUserName SSL_CLIENT_S_DN
# SSLUserName SSL_CLIENT_S_DN_CN
# SSLUserName SSL_CLIENT_S_DN_UID
# SSLUserName SSL_CLIENT_S_DN_NID_userId
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
4. test:cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}";
}
Any help would be greatly appreciated, thanks, Dave
-----
--------------080703030402070707090907
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Hello and thanks for all your help in the past.
I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
really appreciate any help that you can give me. It's incredible to see
this community helping each other (for FREE !) and I intend to
participate actively in the future.
I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
configured httpd for client-side certificate authentication.
Once authenticated, I have the following CGI environment variables:
SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
David/emailAddress=david.donnan@<company>.com/UID=T1234567
SSL_CLIENT_S_DN_CN = DONNAN David
SSL_CLIENT_S_DN_Email = david.donnan@<company>.com
SSL_CLIENT_S_DN_O = <organization>
....
However, the following variable is not instantiated :
SSL_CLIENT_S_DN_UID
Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
Q1. Can anyone help me instantiate this variable - is there further
apache HTTPD configuration to be done ?
Notes:
1. Last summer I thought the problem was related to the following BUG
and so I put this project on hold:
Hence why I've waited for Fedora 12 where they say the above BUG is
fixed.
2. In the past I've had a similar problem with openSSL where I must
manually change openssl.cnf as follows:
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Following line added by DD Summer 2007
uid=0.9.2342.19200300.100.1.1
Reference:
BIG thanks to Jeff Warnica for the OpenSSL solution.
Q2. Is this related, perhaps ?
3. /etc/httpd/conf.d/ssl.conf
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 20
# SSLMutex
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/<hostname>.pem
SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key
# SSLCACertificateFile /etc/httpd/conf/ca.pem
SSLCACertificateFile /etc/httpd/conf/<name>.pem
SSLVerifyClient require
SSLVerifyDepth 10
# SSLUserName SSL_CLIENT_S_DN_Email
SSLUserName SSL_CLIENT_S_DN
# SSLUserName SSL_CLIENT_S_DN_CN
# SSLUserName SSL_CLIENT_S_DN_UID
# SSLUserName SSL_CLIENT_S_DN_NID_userId
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
4. test:cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<tt>\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
}
Any help would be greatly appreciated, thanks, Dave
-----
--------------080703030402070707090907--
Re: SSL_CLIENT_S_DN_UID not available with client certificateauthentication
am 02.03.2010 10:45:27 von david.donnan
--------------080609030804000205000103
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Oups, upon closer inspection of the BUG found here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
I see the following at the bottom:
This issue was fixed in 2.2.x branch with r811812
and will
ship with httpd 2.2.14.
Assuming the BUG is, in fact, my problem I'll wait and test with 2.2.14.
Sorry, I was testing with 2.2.13.
Cdlt, Dave
----
David (Dave) Donnan wrote:
> Hello and thanks for all your help in the past.
>
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to
> participate actively in the future.
>
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
> configured httpd for client-side certificate authentication.
>
> Once authenticated, I have the following CGI environment variables:
>
> SSL_CLIENT_S_DN = /O=/CN=DONNAN
> David/emailAddress=david.donnan@.com/UID=T1234567
>
> SSL_CLIENT_S_DN_CN = DONNAN David
>
> SSL_CLIENT_S_DN_Email = david.donnan@.com
>
> SSL_CLIENT_S_DN_O =
>
> ...
>
> However, the following variable is not instantiated :
>
> SSL_CLIENT_S_DN_UID
>
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
>
> Q1. Can anyone help me instantiate this variable - is there further
> apache HTTPD configuration to be done ?
>
> _/*Notes:*/_
>
> 1. Last summer I thought the problem was related to the following BUG
> and so I put this project on hold:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
>
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
>
> 2. In the past I've had a similar problem with openSSL where I must
> manually change openssl.cnf as follows:
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca' and 'req'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
> # Following line added by DD Summer 2007
> uid=0.9.2342.19200300.100.1.1
>
> Reference:
> http://www.openldap.org/lists/openldap-software/200309/msg00 422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
>
> Q2. Is this related, perhaps ?
>
> 3. /etc/httpd/conf.d/ssl.conf
>
> Listen 0.0.0.0:443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache none
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 20
> # SSLMutex file:logs/ssl_mutex
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/.pem
> SSLCertificateKeyFile /etc/httpd/conf/.key
> # SSLCACertificateFile /etc/httpd/conf/ca.pem
> SSLCACertificateFile /etc/httpd/conf/.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
> # SSLUserName SSL_CLIENT_S_DN_Email
> SSLUserName SSL_CLIENT_S_DN
> # SSLUserName SSL_CLIENT_S_DN_CN
> # SSLUserName SSL_CLIENT_S_DN_UID
> # SSLUserName SSL_CLIENT_S_DN_NID_userId
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
> 4. test:cgi
>
> #!/usr/bin/perl
>
> print "Content-type: text/html\n\n";
> print "\n";
> foreach $key (sort keys(%ENV)) {
> print "$key = $ENV{$key}";
> }
>
>
> Any help would be greatly appreciated, thanks, Dave
> -----
--------------080609030804000205000103
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Oups, upon closer inspection of the BUG found here:
I see the following at the bottom:
This issue was fixed in 2.2.x branch with
href="https://svn.apache.org/viewcvs.cgi?view=rev&rev=81 1812">r811812
and will ship with httpd 2.2.14.
David (Dave) Donnan wrote:
Hello
and thanks for all your help in the past.
I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
really appreciate any help that you can give me. It's incredible to see
this community helping each other (for FREE !) and I intend to
participate actively in the future.
I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
configured httpd for client-side certificate authentication.
Once authenticated, I have the following CGI environment variables:
SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
David/emailAddress=david.donnan@<company>.com/UID=T1234567
SSL_CLIENT_S_DN_CN = DONNAN David
SSL_CLIENT_S_DN_Email = david.donnan@<company>.com
SSL_CLIENT_S_DN_O = <organization>
....
However, the following variable is not instantiated :
SSL_CLIENT_S_DN_UID
Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
Q1. Can anyone help me instantiate this variable - is there further
apache HTTPD configuration to be done ?
Notes:
1. Last summer I thought the problem was related to the following BUG
and so I put this project on hold:
href="https://issues.apache.org/bugzilla/show_bug.cgi?id=451 07">https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
Hence why I've waited for Fedora 12 where they say the above BUG is
fixed.
2. In the past I've had a similar problem with openSSL where I must
manually change openssl.cnf as follows:
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Following line added by DD Summer 2007
uid=0.9.2342.19200300.100.1.1
Reference:
href="http://www.openldap.org/lists/openldap-software/200309 /msg00422.html">http://www.openldap.org/lists/openldap-softw are/200309/msg00422.html
BIG thanks to Jeff Warnica for the OpenSSL solution.
Q2. Is this related, perhaps ?
3. /etc/httpd/conf.d/ssl.conf
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 20
# SSLMutex
class="moz-txt-link-freetext" href="file:logs/ssl_mutex">file:logs/ssl_mutex
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/<hostname>.pem
SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key
# SSLCACertificateFile /etc/httpd/conf/ca.pem
SSLCACertificateFile /etc/httpd/conf/<name>.pem
SSLVerifyClient require
SSLVerifyDepth 10
# SSLUserName SSL_CLIENT_S_DN_Email
SSLUserName SSL_CLIENT_S_DN
# SSLUserName SSL_CLIENT_S_DN_CN
# SSLUserName SSL_CLIENT_S_DN_UID
# SSLUserName SSL_CLIENT_S_DN_NID_userId
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
4. test:cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<tt>\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
}
Any help would be greatly appreciated, thanks, Dave
-----
--------------080609030804000205000103--
Re: SSL_CLIENT_S_DN_UID not available with clientcertificate authentication
am 22.03.2010 12:51:07 von lambam80
FYI. This is a BUG with HTTP:
The problem was related to a
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 and so I put this
project on hold while waiting for Fedora 13 (with httpd-2.2.14) where they
say the HTTPD BUG is fixed.
------
I simply couldn't wait until April 2010 (Fedora 13 with httpd-2.2.14 )
so I used
an unofficial copy of httpd-2.2.14 on Fedora 12 (and related RPMs) found
here:
[http://hany.sk/~hany/RPM/f-updates-12-i386/httpd-2.2.14-1.f c12.i686.html]
I then installed with the force option of RPM:
{code}
[root@James fc12]# ls -tlar
total 1884
drwxr-xr-x. 5 4096 2010-03-02 12:18 ..
-rw-rw-r--. 1 822820 2010-03-02 12:18 httpd-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 146000 2010-03-02 12:18 httpd-devel-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 67880 2010-03-02 12:18 httpd-tools-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 85620 2010-03-02 12:18 mod_ssl-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 787852 2010-03-02 12:18 httpd-manual-2.2.14-1.fc12.noarch.rpm
rpm -iv --force *
[root@James fc12]# rpm -qa | grep httpd | sort
httpd-2.2.13-4.fc12.i686
httpd-2.2.14-1.fc12.i686
httpd-devel-2.2.13-4.fc12.i686
httpd-devel-2.2.14-1.fc12.i686
httpd-manual-2.2.13-4.fc12.noarch
httpd-manual-2.2.14-1.fc12.noarch
httpd-tools-2.2.13-4.fc12.i686
httpd-tools-2.2.14-1.fc12.i686}}
{code}
Dirty, but it works.
------
David (Dave) Donnan wrote:
>
> Hello and thanks for all your help in the past.
>
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to
> participate actively in the future.
>
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
> configured httpd for client-side certificate authentication.
>
> Once authenticated, I have the following CGI environment variables:
>
> SSL_CLIENT_S_DN = /O=/CN=DONNAN
> David/emailAddress=david.donnan@.com/UID=T1234567
>
> SSL_CLIENT_S_DN_CN = DONNAN David
>
> SSL_CLIENT_S_DN_Email = david.donnan@.com
>
> SSL_CLIENT_S_DN_O =
>
> ...
>
> However, the following variable is not instantiated :
>
> SSL_CLIENT_S_DN_UID
>
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
>
> Q1. Can anyone help me instantiate this variable - is there further
> apache HTTPD configuration to be done ?
>
> _/*Notes:*/_
>
> 1. Last summer I thought the problem was related to the following BUG
> and so I put this project on hold:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
>
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
>
> 2. In the past I've had a similar problem with openSSL where I must
> manually change openssl.cnf as follows:
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca' and 'req'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
> # Following line added by DD Summer 2007
> uid=0.9.2342.19200300.100.1.1
>
> Reference:
> http://www.openldap.org/lists/openldap-software/200309/msg00 422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
>
> Q2. Is this related, perhaps ?
>
> 3. /etc/httpd/conf.d/ssl.conf
>
> Listen 0.0.0.0:443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache none
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 20
> # SSLMutex file:logs/ssl_mutex
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/.pem
> SSLCertificateKeyFile /etc/httpd/conf/.key
> # SSLCACertificateFile /etc/httpd/conf/ca.pem
> SSLCACertificateFile /etc/httpd/conf/.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
> # SSLUserName SSL_CLIENT_S_DN_Email
> SSLUserName SSL_CLIENT_S_DN
> # SSLUserName SSL_CLIENT_S_DN_CN
> # SSLUserName SSL_CLIENT_S_DN_UID
> # SSLUserName SSL_CLIENT_S_DN_NID_userId
>
> SSLOptions +StdEnvVars
>
>
> SSLOptions +StdEnvVars
>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
> 4. test:cgi
>
> #!/usr/bin/perl
>
> print "Content-type: text/html\n\n";
> print "\n";
> foreach $key (sort keys(%ENV)) {
> print "$key = $ENV{$key}";
> }
>
>
> Any help would be greatly appreciated, thanks, Dave
> -----
>
>
--
View this message in context: http://old.nabble.com/-users%40httpd--SSL_CLIENT_S_DN_UID-no t-available-with-client-certificate-authentication-tp2774530 2p27985263.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.
------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org