HI!

(Re-sent since my message through gmane didn't come through.)

Maybe I'm overlooking the obvious but it seems that env var
SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication.

The following env vars displayed in my SSI HTML text are relevant here
(obfuscated to protect privacy):

SSL_CLIENT_S_DN: /O=Company Name/OU=Authc/UID=userid/CN=Full name
SSL_CLIENT_S_DN_UID: (none)

Is it caused by UID not being the leaf RDN?

Ciao, Michael.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Str=C3=B6der wrote:
> HI!
>
> (Re-sent since my message through gmane didn't come through.)
>
> Maybe I'm overlooking the obvious but it seems that env var
> SSL_CLIENT_S_DN_UID is not set when using a client cert for authenticat=
ion.
>
> The following env vars displayed in my SSI HTML text are relevant here
> (obfuscated to protect privacy):
>
> SSL_CLIENT_S_DN: /O=3DCompany Name/OU=3DAuthc/UID=3Duserid/CN=3DFull na=
me
> SSL_CLIENT_S_DN_UID: (none)
>
> Is it caused by UID not being the leaf RDN?

That shouldn't make any difference. What versions of OpenSSL and
httpd/mod_ssl are you using? The "UID" DN tag is ambiguous and probably
maps to something other than what your subject DN uses.

In the current 2.x mod_ssl sources, UID maps to:

#ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
{ "UID", NID_x500UniqueIdentifier },
#else /* old name, OpenSSL < 0.9.7 */
{ "UID", NID_uniqueIdentifier },
#endif

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Joe,

many thanks for your response.

Joe Orton wrote:
> On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Str=C3=B6der wrote:
>>
>> Maybe I'm overlooking the obvious but it seems that env var
>> SSL_CLIENT_S_DN_UID is not set when using a client cert for authentica=
tion.
>>
>> The following env vars displayed in my SSI HTML text are relevant here
>> (obfuscated to protect privacy):
>>
>> SSL_CLIENT_S_DN: /O=3DCompany Name/OU=3DAuthc/UID=3Duserid/CN=3DFull n=
ame
>> SSL_CLIENT_S_DN_UID: (none)
>>
>> Is it caused by UID not being the leaf RDN?
>
> That shouldn't make any difference.

Ok, fine.

> What versions of OpenSSL and httpd/mod_ssl are you using?

Actually pre-built RPMs shipped with openSUSE 10.3:

# rpm -q openssl apache2
openssl-0.9.8e-45.5
apache2-2.2.4-70.4

Not sure whether these RPMs are based on sources patched by openSUSE.

> The "UID" DN tag is ambiguous and probably
> maps to something other than what your subject DN uses.
>
> In the current 2.x mod_ssl sources, UID maps to:
>
> #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
> { "UID", NID_x500UniqueIdentifier },
> #else /* old name, OpenSSL < 0.9.7 */
> { "UID", NID_uniqueIdentifier },
> #endif

Hmm, the user ID is already stored by mod_ssl with attribute name "UID"
in env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
attribute type seems to be interpreted as UID is it safe to assume that
the cert contains the right OID?

If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyway.=
...

Ciao, Michael.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Str=C3=B6der wrote:
>> In the current 2.x mod_ssl sources, UID maps to:
>>
>> #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
>> { "UID", NID_x500UniqueIdentifier },
>> #else /* old name, OpenSSL < 0.9.7 */
>> { "UID", NID_uniqueIdentifier },
>> #endif
>
> Hmm, the user ID is already stored by mod_ssl with attribute name "UID"=
in
> env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
> attribute type seems to be interpreted as UID is it safe to assume that=
the
> cert contains the right OID?

No, unfortunately there is disparity between mod_ssl and OpenSSL here.
(I don't know why; I think historically the short name mappings were not
unique in OpenSSL possibly, something like that)

OpenSSL uses "UID" for NID_userId (OID mapping an exercise for the
reader, see obj_mac.h in OpenSSL ;). So in fact that's the tag used for
that RDN.

> If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anywa=
y...

It does indeed map to that OID... wrong in what sense?

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Joe Orton wrote:
> On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Str=C3=B6der wrote:
>> Hmm, the user ID is already stored by mod_ssl with attribute name "UID=
" in
>> env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
>> attribute type seems to be interpreted as UID is it safe to assume tha=
t the
>> cert contains the right OID?
>
> No, unfortunately there is disparity between mod_ssl and OpenSSL here. =

> (I don't know why; I think historically the short name mappings were no=
t
> unique in OpenSSL possibly, something like that)

Hmmpf! So the string representation of SSL_CLIENT_S_DN is completely
generated by OpenSSL whereas the single attribute types are generated by
mod_ssl by looking at the cert's OID?

>> If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyw=
ay...
>
> It does indeed map to that OID... wrong in what sense?

Because the syntax assigned to attribute type 'x500UniqueIdentifier'
(OID 2.5.4.45) is 'Bit String' (OID 1.3.6.1.4.1.1466.115.121.1.6) which
cannot be used to store a user ID with characters like 'ABCDEF'.

http://www.alvestrand.no/objectid/2.5.4.45.html

Ciao, Michael.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Joe Orton wrote:
> On Fri, May 23, 2008 at 04:46:48PM +0200, Michael Ströder wrote:
>>> In the current 2.x mod_ssl sources, UID maps to:
>>>
>>> #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
>>> { "UID", NID_x500UniqueIdentifier },
>>> #else /* old name, OpenSSL < 0.9.7 */
>>> { "UID", NID_uniqueIdentifier },
>>> #endif
>> Hmm, the user ID is already stored by mod_ssl with attribute name "UID=
" in
>> env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
>> attribute type seems to be interpreted as UID is it safe to assume tha=
t the
>> cert contains the right OID?
>
> No, unfortunately there is disparity between mod_ssl and OpenSSL here. =

> (I don't know why; I think historically the short name mappings were no=
t
> unique in OpenSSL possibly, something like that)
>
> OpenSSL uses "UID" for NID_userId (OID mapping an exercise for the
> reader, see obj_mac.h in OpenSSL ;). So in fact that's the tag used fo=
r
> that RDN.

Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute type
'uid' specified for pilotPerson). That seems right to me since it's
compliant with RFC 4514 which contains a table of short and long
attribute type names and their OIDs (end of chapter 3).

But now I don't understand the #ifdef-statement mentioned above. From my
understanding it MUST NOT reference NID_x500UniqueIdentifier. It MUST
reference NID_userId. To me that looks clearly like a bug in mod_ssl.

Ciao, Michael.

____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Str=C3=B6der wrote:
> Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute typ=
e
> 'uid' specified for pilotPerson). That seems right to me since it's
> compliant with RFC 4514 which contains a table of short and long attrib=
ute
> type names and their OIDs (end of chapter 3).
>
> But now I don't understand the #ifdef-statement mentioned above. From m=
y
> understanding it MUST NOT reference NID_x500UniqueIdentifier. It MUST
> reference NID_userId. To me that looks clearly like a bug in mod_ssl.

Changing it would break backwards-compat which is why the #ifdef is
there (so that the _UID variable refers to the same OID regardless of
what OpenSSL version si use).

But I don't disagree that it was wrong in the first place. I vaguely
recall discussing this somewhere before and deciding we needed an extra
_UserID-like variable so people can get the (commoner) pilotPerson-type
uid attribute out of the DN too.

joe
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Joe Orton wrote:
> On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Str=C3=B6der wrote:
>> Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute ty=
pe
>> 'uid' specified for pilotPerson). That seems right to me since it's
>> compliant with RFC 4514 which contains a table of short and long attri=
bute
>> type names and their OIDs (end of chapter 3).
>>
>> But now I don't understand the #ifdef-statement mentioned above. From =
my
>> understanding it MUST NOT reference NID_x500UniqueIdentifier. It MUST
>> reference NID_userId. To me that looks clearly like a bug in mod_ssl.
>
> Changing it would break backwards-compat which is why the #ifdef is
> there (so that the _UID variable refers to the same OID regardless of
> what OpenSSL version si use).

1. I seriously doubt that there are any certs out there which use
x500UniqueIdentifier in the subject-DN. If yes, then these certs are
also seriously broken.

2. It's simply broken that attribute type UID in mod_ssl differs from
OpenSSL here.

Ciao, Michael.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Michael Str=C3=B6der wrote:
> Joe Orton wrote:
>> On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Str=C3=B6der wrote:
>>> Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute
>>> type 'uid' specified for pilotPerson). That seems right to me since
>>> it's compliant with RFC 4514 which contains a table of short and long=

>>> attribute type names and their OIDs (end of chapter 3).
>>>
>>> But now I don't understand the #ifdef-statement mentioned above. From=

>>> my understanding it MUST NOT reference NID_x500UniqueIdentifier. It
>>> MUST reference NID_userId. To me that looks clearly like a bug in
>>> mod_ssl.
>>
>> Changing it would break backwards-compat which is why the #ifdef is
>> there (so that the _UID variable refers to the same OID regardless of
>> what OpenSSL version si use).

To come around this: How about letting the deployer specify the OIDs in
httpd.conf? Backwards-compability could be achieved with this.

Ciao, Michael.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

--NextPart_Webmail_9m3u9jl4l_29909_1211894649_0
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

DONT SEND ME THIS CRAP THANK'S
-------------- Original message from Michael Str=C3=B6der <michael [at] stroed=
er.com>: --------------


> Joe,
>
> many thanks for your response.
>
> Joe Orton wrote:
> > On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Str=C3=B6der wrote:=

> >>
> >> Maybe I'm overlooking the obvious but it seems that env var
> >> SSL_CLIENT_S_DN_UID is not set when using a client cert for authenti=
cation.
> >>
> >> The following env vars displayed in my SSI HTML text are relevant he=
re
> >> (obfuscated to protect privacy):
> >>
> >> SSL_CLIENT_S_DN: /O=3DCompany Name/OU=3DAuthc/UID=3Duserid/CN=3DFull=
name
> >> SSL_CLIENT_S_DN_UID: (none)
> >>
> >> Is it caused by UID not being the leaf RDN?
> >
> > That shouldn't make any difference.
>
> Ok, fine.
>
> > What versions of OpenSSL and httpd/mod_ssl are you using?
>
> Actually pre-built RPMs shipped with openSUSE 10.3:
>
> # rpm -q openssl apache2
> openssl-0.9.8e-45.5
> apache2-2.2.4-70.4
>
> Not sure whether these RPMs are based on sources patched by openSUSE.
>
> > The "UID" DN tag is ambiguous and probably
> > maps to something other than what your subject DN uses.
> >
> > In the current 2.x mod_ssl sources, UID maps to:
> >
> > #ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
> > { "UID", NID_x500UniqueIdentifier },
> > #else /* old name, OpenSSL < 0.9.7 */
> > { "UID", NID_uniqueIdentifier },
> > #endif
>
> Hmm, the user ID is already stored by mod_ssl with attribute name "UID"=

> in env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
> attribute type seems to be interpreted as UID is it safe to assume that=

> the cert contains the right OID?
>
> If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anywa=
y...
>
> Ciao, Michael.
> ____________________________________________________________ __________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List modssl-users [at] modssl.org
> Automated List Manager majordomo [at] modssl.org
--NextPart_Webmail_9m3u9jl4l_29909_1211894649_0
Content-Type: multipart/related; boundary="NextPart_Webmail_9m3u9jl4l_29909_1211894649_1"


--NextPart_Webmail_9m3u9jl4l_29909_1211894649_1
Content-Type: text/html
Content-Transfer-Encoding: quoted-printable

<html>
<!-- BEGIN WEBMAIL STATIONERY -->
<head></head>
<body>
<!-- WEBMAIL STATIONERY noneset -->
<DIV></DIV>
<DIV><FONT color=3D#ff0000 size=3D7>DONT SEND ME THIS CRAP THANK'S </FONT=
></DIV>
<BLOCKQUOTE style=3D"PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1=
010ff 2px solid">-------------- Original message from Michael Str=C3=B6de=
r <michael [at] stroeder.com>: -------------- <BR><BR><BR>> Joe, <BR>=
> <BR>> many thanks for your response. <BR>> <BR>> Joe Orton =
wrote: <BR>> > On Mon, May 19, 2008 at 10:13:45AM +0200, Michael St=
r=C3=B6der wrote: <BR>> >> <BR>> >> Maybe I'm overlooki=
ng the obvious but it seems that env var <BR>> >> SSL_CLIENT_S_D=
N_UID is not set when using a client cert for authentication. <BR>> &g=
t;> <BR>> >> The following env vars displayed in my SSI HTML =
text are relevant here <BR>> >> (obfuscated to protect privacy):=
<BR>> >> <BR>> >> SSL_CLIENT_S_DN: /O=3DCompany Name/O=
U=3DAuthc/UID=3Duserid/CN=3DFull name <BR>> >> SSL_CLIENT_S_DN_U=
ID: (none) <BR>> >> <BR>> >> Is it caused by UID not be=
ing the leaf RDN? <BR>> > <BR>> > That shouldn'
t make
any difference. <BR>> <BR>> Ok, fine. <BR>> <BR>> > What =
versions of OpenSSL and httpd/mod_ssl are you using? <BR>> <BR>> Ac=
tually pre-built RPMs shipped with openSUSE 10.3: <BR>> <BR>> # rpm=
-q openssl apache2 <BR>> openssl-0.9.8e-45.5 <BR>> apache2-2.2.4-7=
0.4 <BR>> <BR>> Not sure whether these RPMs are based on sources pa=
tched by openSUSE. <BR>> <BR>> > The "UID" DN tag is ambiguous a=
nd probably <BR>> > maps to something other than what your subject =
DN uses. <BR>> > <BR>> > In the current 2.x mod_ssl sources, =
UID maps to: <BR>> > <BR>> > #ifdef NID_x500UniqueIdentifier =
/* new name as of Openssl 0.9.7 */ <BR>> > { "UID", NID_x500UniqueI=
dentifier }, <BR>> > #else /* old name, OpenSSL < 0.9.7 */ <BR>&=
gt; > { "UID", NID_uniqueIdentifier }, <BR>> > #endif <BR>> <=
BR>> Hmm, the user ID is already stored by mod_ssl with attribute name=
"UID" <BR>> in env var SSL_CLIENT_S_D
N. Giv
en that it's OpenSSL 0.9.8 and that the <BR>> attribute type seems to =
be interpreted as UID is it safe to assume that <BR>> the cert contain=
s the right OID? <BR>> <BR>> If NID_x500UniqueIdentifier maps to OI=
D 2.5.4.45 it's plain wrong anyway... <BR>> <BR>> Ciao, Michael. <B=
R>> ____________________________________________________________ ______=
____ <BR>> Apache Interface to OpenSSL (mod_ssl) www.modssl.org <BR>&g=
t; User Support Mailing List modssl-users [at] modssl.org <BR>> Automated L=
ist Manager majordomo [at] modssl.org </BLOCKQUOTE>
<!-- END WEBMAIL STATIONERY -->

</body>
</html>

--NextPart_Webmail_9m3u9jl4l_29909_1211894649_1--

--NextPart_Webmail_9m3u9jl4l_29909_1211894649_0--
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org

Michael Str=C3=B6der wrote:
> Joe Orton wrote:
>> On Fri, May 23, 2008 at 05:23:34PM +0200, Michael Str=C3=B6der wrote:
>>> Ok, then the OID in my cert is 0.9.2342.19200300.100.1.1 (attribute
>>> type 'uid' specified for pilotPerson). That seems right to me since
>>> it's compliant with RFC 4514 which contains a table of short and long=

>>> attribute type names and their OIDs (end of chapter 3).
>>>
>>> But now I don't understand the #ifdef-statement mentioned above. From=

>>> my understanding it MUST NOT reference NID_x500UniqueIdentifier. It
>>> MUST reference NID_userId. To me that looks clearly like a bug in
>>> mod_ssl.
>>
>> Changing it would break backwards-compat which is why the #ifdef is
>> there (so that the _UID variable refers to the same OID regardless of
>> what OpenSSL version si use).
>
> 1. I seriously doubt that there are any certs out there which use
> x500UniqueIdentifier in the subject-DN. If yes, then these certs are
> also seriously broken.
>
> 2. It's simply broken that attribute type UID in mod_ssl differs from
> OpenSSL here.

Please take note of this Apache issue and consider the patch attached:

https://issues.apache.org/bugzilla/show_bug.cgi?id=3D45107

Ciao, Michael.
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users [at] modssl.org
Automated List Manager majordomo [at] modssl.org