SSL_CLIENT_S_DN_UID not available with client certificate authentication

--------------080703030402070707090907
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Hello and thanks for all your help in the past.

I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
really appreciate any help that you can give me. It's incredible to see
this community helping each other (for FREE !) and I intend to
participate actively in the future.

I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
configured httpd for client-side certificate authentication.

Once authenticated, I have the following CGI environment variables:

SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
David/emailAddress=david.donnan [at] <company>.com/UID=T1234567

SSL_CLIENT_S_DN_CN = DONNAN David

SSL_CLIENT_S_DN_Email = david.donnan [at] <company>.com

SSL_CLIENT_S_DN_O = <organization>

...

However, the following variable is not instantiated :

SSL_CLIENT_S_DN_UID

Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!

Q1. Can anyone help me instantiate this variable - is there further
apache HTTPD configuration to be done ?

_/*Notes:*/_

1. Last summer I thought the problem was related to the following BUG
and so I put this project on hold:

https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

Hence why I've waited for Fedora 12 where they say the above BUG is fixed.

2. In the past I've had a similar problem with openSSL where I must
manually change openssl.cnf as follows:

[ new_oids ]

# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Following line added by DD Summer 2007
uid=0.9.2342.19200300.100.1.1

Reference:
http://www.openldap.org/lists/openldap-software/200309/msg00 422.html
BIG thanks to Jeff Warnica for the OpenSSL solution.

Q2. Is this related, perhaps ?

3. /etc/httpd/conf.d/ssl.conf

Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 20
# SSLMutex file:logs/ssl_mutex
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/<hostname>.pem
SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key
# SSLCACertificateFile /etc/httpd/conf/ca.pem
SSLCACertificateFile /etc/httpd/conf/<name>.pem
SSLVerifyClient require
SSLVerifyDepth 10
# SSLUserName SSL_CLIENT_S_DN_Email
SSLUserName SSL_CLIENT_S_DN
# SSLUserName SSL_CLIENT_S_DN_CN
# SSLUserName SSL_CLIENT_S_DN_UID
# SSLUserName SSL_CLIENT_S_DN_NID_userId
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>

4. test:cgi

#!/usr/bin/perl

print "Content-type: text/html\n\n";
print "<tt>\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}";
}

Any help would be greatly appreciated, thanks, Dave
-----

--------------080703030402070707090907
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
</head>
<body bgcolor="#ffffff" text="#000000">
Hello and thanks for all your help in the past. 
 
I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
really appreciate any help that you can give me. It's incredible to see 
this community helping each other (for FREE !) and I intend to
participate actively in the future. 
 
I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
configured httpd for client-side certificate authentication. 
 
Once authenticated, I have the following CGI environment variables: 
<blockquote><tt>SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
David/emailAddress=david.donnan [at] <company>.com/UID=T1234567 
 
SSL_CLIENT_S_DN_CN = DONNAN David 
 
SSL_CLIENT_S_DN_Email = david.donnan [at] <company>.com 
 
SSL_CLIENT_S_DN_O = <organization> 
 
....</tt> 
</blockquote>
However, the following variable is not instantiated : 
<blockquote><tt>SSL_CLIENT_S_DN_UID</tt> 
</blockquote>
Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !! 
 
Q1. Can anyone help me instantiate this variable - is there further
apache HTTPD configuration to be done ? 
 
Notes: 
 
1. Last summer I thought the problem was related to the following BUG
and so I put this project on hold: 
 
 <a class="moz-txt-link-freetext" href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45107">https://issues.apache.org/bugzilla/show_bug.cgi?id=45107</a> 
 
Hence why I've waited for Fedora 12 where they say the above BUG is
fixed. 
 
2. In the past I've had a similar problem with openSSL where I must
manually change openssl.cnf as follows: 
<blockquote><tt>[ new_oids ] 
 
# We can add new OIDs in here for use by 'ca' and 'req'. 
# Add a simple OID like this: 
# testoid1=1.2.3.4 
# Or use config file substitution like this: 
# testoid2=${testoid1}.5.6 
# Following line added by DD Summer 2007 
uid=0.9.2342.19200300.100.1.1</tt> 
</blockquote>
Reference:
<a class="moz-txt-link-freetext" href="http://www.openldap.org/lists/openldap-software/200309/msg00422.html"> http://www.openldap.org/lists/openldap-software/200309/msg00 422.html</a> 
BIG thanks to Jeff Warnica for the OpenSSL solution. 
 
Q2. Is this related, perhaps ? 
 
3. /etc/httpd/conf.d/ssl.conf 
 
<blockquote><tt>Listen 0.0.0.0:443</tt> 
<tt>AddType application/x-x509-ca-cert .crt</tt> 
<tt>AddType application/x-pkcs7-crl .crl</tt> 
<tt>SSLPassPhraseDialog builtin</tt> 
<tt>SSLSessionCache none</tt> 
<tt>SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)</tt> 
<tt>SSLSessionCacheTimeout 20</tt> 
<tt># SSLMutex <a class="moz-txt-link-freetext" href="file:logs/ssl_mutex">file:logs/ssl_mutex</a></tt> 
<tt>SSLMutex default</tt> 
<tt>SSLRandomSeed startup builtin</tt> 
<tt>SSLRandomSeed connect builtin</tt> 
<tt>SSLCryptoDevice builtin</tt> 
<tt><VirtualHost _default_:443></tt> 
<tt>ErrorLog logs/ssl_error_log</tt> 
<tt>TransferLog logs/ssl_access_log</tt> 
<tt>SSLEngine on</tt> 
<tt>SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</tt> 
<tt>SSLCertificateFile /etc/httpd/conf/<hostname>.pem</tt> 
<tt>SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key</tt> 
<tt># SSLCACertificateFile /etc/httpd/conf/ca.pem</tt> 
<tt>SSLCACertificateFile /etc/httpd/conf/<name>.pem</tt> 
<tt>SSLVerifyClient require</tt> 
<tt>SSLVerifyDepth 10</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_Email</tt> 
<tt>SSLUserName SSL_CLIENT_S_DN</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_CN</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_UID</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_NID_userId</tt> 
<tt><Files ~ "\.(cgi|shtml|phtml|php3?)$"></tt> 
<tt> SSLOptions +StdEnvVars</tt> 
<tt></Files></tt> 
<tt><Directory "/var/www/cgi-bin"></tt> 
<tt> SSLOptions +StdEnvVars</tt> 
<tt></Directory></tt> 
<tt>SetEnvIf User-Agent ".*MSIE.*" \</tt> 
<tt> nokeepalive ssl-unclean-shutdown \</tt> 
<tt> downgrade-1.0 force-response-1.0</tt> 
<tt>CustomLog logs/ssl_request_log \</tt> 
<tt> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</tt> 
<tt></VirtualHost></tt> 
 
</blockquote>
4. test:cgi 
<blockquote><tt>#!/usr/bin/perl 
 
 print "Content-type: text/html\n\n"; 
 print "<tt>\n"; 
 foreach $key (sort keys(%ENV)) { 
 print "$key = $ENV{$key}"; 
 }</tt> 
</blockquote>
 
Any help would be greatly appreciated, thanks, Dave 
-----
</body>
</html>

--------------080703030402070707090907--

--------------080609030804000205000103
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

Oups, upon closer inspection of the BUG found here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

I see the following at the bottom:

This issue was fixed in 2.2.x branch with r811812
<https://svn.apache.org/viewcvs.cgi?view=rev&rev=811812> and will
ship with httpd 2.2.14.

Assuming the BUG is, in fact, my problem I'll wait and test with 2.2.14.

Sorry, I was testing with 2.2.13.

Cdlt, Dave
----

David (Dave) Donnan wrote:
> Hello and thanks for all your help in the past.
>
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to
> participate actively in the future.
>
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
> configured httpd for client-side certificate authentication.
>
> Once authenticated, I have the following CGI environment variables:
>
> SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
> David/emailAddress=david.donnan [at] <company>.com/UID=T1234567
>
> SSL_CLIENT_S_DN_CN = DONNAN David
>
> SSL_CLIENT_S_DN_Email = david.donnan [at] <company>.com
>
> SSL_CLIENT_S_DN_O = <organization>
>
> ...
>
> However, the following variable is not instantiated :
>
> SSL_CLIENT_S_DN_UID
>
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
>
> Q1. Can anyone help me instantiate this variable - is there further
> apache HTTPD configuration to be done ?
>
> _/*Notes:*/_
>
> 1. Last summer I thought the problem was related to the following BUG
> and so I put this project on hold:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
>
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
>
> 2. In the past I've had a similar problem with openSSL where I must
> manually change openssl.cnf as follows:
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca' and 'req'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
> # Following line added by DD Summer 2007
> uid=0.9.2342.19200300.100.1.1
>
> Reference:
> http://www.openldap.org/lists/openldap-software/200309/msg00 422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
>
> Q2. Is this related, perhaps ?
>
> 3. /etc/httpd/conf.d/ssl.conf
>
> Listen 0.0.0.0:443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache none
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 20
> # SSLMutex file:logs/ssl_mutex
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
> <VirtualHost _default_:443>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/<hostname>.pem
> SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key
> # SSLCACertificateFile /etc/httpd/conf/ca.pem
> SSLCACertificateFile /etc/httpd/conf/<name>.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
> # SSLUserName SSL_CLIENT_S_DN_Email
> SSLUserName SSL_CLIENT_S_DN
> # SSLUserName SSL_CLIENT_S_DN_CN
> # SSLUserName SSL_CLIENT_S_DN_UID
> # SSLUserName SSL_CLIENT_S_DN_NID_userId
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
>
> 4. test:cgi
>
> #!/usr/bin/perl
>
> print "Content-type: text/html\n\n";
> print "<tt>\n";
> foreach $key (sort keys(%ENV)) {
> print "$key = $ENV{$key}";
> }
>
>
> Any help would be greatly appreciated, thanks, Dave
> -----

--------------080609030804000205000103
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
Oups, upon closer inspection of the BUG found here:
<a class="moz-txt-link-freetext" href="https://issues.apache.org/bugzilla/show_bug.cgi?id=45107">https://issues.apache.org/bugzilla/show_bug.cgi?id=45107</a> 
 
I see the following at the bottom: 
<blockquote>This issue was fixed in 2.2.x branch with <a
href="https://svn.apache.org/viewcvs.cgi?view=rev&rev=81 1812">r811812</a>
and will ship with httpd 2.2.14. 
</blockquote>
<pre class="bz_comment_text">Assuming the BUG is, in fact, my problem I'll wait and test with 2.2.14.

Sorry, I was testing with 2.2.13.

Cdlt, Dave
----
</pre>
David (Dave) Donnan wrote:
<blockquote cite="mid:4B8BE286.1010806 [at] thalesgroup.com" type="cite">Hello
and thanks for all your help in the past. 
 
I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
really appreciate any help that you can give me. It's incredible to see 
this community helping each other (for FREE !) and I intend to
participate actively in the future. 
 
I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
configured httpd for client-side certificate authentication. 
 
Once authenticated, I have the following CGI environment variables: 
<blockquote><tt>SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
David/emailAddress=david.donnan [at] <company>.com/UID=T1234567 
 
SSL_CLIENT_S_DN_CN = DONNAN David 
 
SSL_CLIENT_S_DN_Email = david.donnan [at] <company>.com 
 
SSL_CLIENT_S_DN_O = <organization> 
 
....</tt> 
</blockquote>
However, the following variable is not instantiated : 
<blockquote><tt>SSL_CLIENT_S_DN_UID</tt> 
</blockquote>
Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !! 
 
Q1. Can anyone help me instantiate this variable - is there further
apache HTTPD configuration to be done ? 
 
Notes: 
 
1. Last summer I thought the problem was related to the following BUG
and so I put this project on hold: 
 
 <a moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://issues.apache.org/bugzilla/show_bug.cgi?id=451 07">https://issues.apache.org/bugzilla/show_bug.cgi?id=45107</a> 
 
Hence why I've waited for Fedora 12 where they say the above BUG is
fixed. 
 
2. In the past I've had a similar problem with openSSL where I must
manually change openssl.cnf as follows: 
<blockquote><tt>[ new_oids ] 
 
# We can add new OIDs in here for use by 'ca' and 'req'. 
# Add a simple OID like this: 
# testoid1=1.2.3.4 
# Or use config file substitution like this: 
# testoid2=${testoid1}.5.6 
# Following line added by DD Summer 2007 
uid=0.9.2342.19200300.100.1.1</tt> 
</blockquote>
Reference:
<a moz-do-not-send="true" class="moz-txt-link-freetext"
href="http://www.openldap.org/lists/openldap-software/200309 /msg00422.html">http://www.openldap.org/lists/openldap-softw are/200309/msg00422.html</a> 
BIG thanks to Jeff Warnica for the OpenSSL solution. 
 
Q2. Is this related, perhaps ? 
 
3. /etc/httpd/conf.d/ssl.conf 
 
<blockquote><tt>Listen 0.0.0.0:443</tt> 
<tt>AddType application/x-x509-ca-cert .crt</tt> 
<tt>AddType application/x-pkcs7-crl .crl</tt> 
<tt>SSLPassPhraseDialog builtin</tt> 
<tt>SSLSessionCache none</tt> 
<tt>SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)</tt> 
<tt>SSLSessionCacheTimeout 20</tt> 
<tt># SSLMutex <a moz-do-not-send="true"
class="moz-txt-link-freetext" href="file:logs/ssl_mutex">file:logs/ssl_mutex</a></tt> 
<tt>SSLMutex default</tt> 
<tt>SSLRandomSeed startup builtin</tt> 
<tt>SSLRandomSeed connect builtin</tt> 
<tt>SSLCryptoDevice builtin</tt> 
<tt><VirtualHost _default_:443></tt> 
<tt>ErrorLog logs/ssl_error_log</tt> 
<tt>TransferLog logs/ssl_access_log</tt> 
<tt>SSLEngine on</tt> 
<tt>SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP</tt> 
<tt>SSLCertificateFile /etc/httpd/conf/<hostname>.pem</tt> 
<tt>SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key</tt> 
<tt># SSLCACertificateFile /etc/httpd/conf/ca.pem</tt> 
<tt>SSLCACertificateFile /etc/httpd/conf/<name>.pem</tt> 
<tt>SSLVerifyClient require</tt> 
<tt>SSLVerifyDepth 10</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_Email</tt> 
<tt>SSLUserName SSL_CLIENT_S_DN</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_CN</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_UID</tt> 
<tt># SSLUserName SSL_CLIENT_S_DN_NID_userId</tt> 
<tt><Files ~ "\.(cgi|shtml|phtml|php3?)$"></tt> 
<tt> SSLOptions +StdEnvVars</tt> 
<tt></Files></tt> 
<tt><Directory "/var/www/cgi-bin"></tt> 
<tt> SSLOptions +StdEnvVars</tt> 
<tt></Directory></tt> 
<tt>SetEnvIf User-Agent ".*MSIE.*" \</tt> 
<tt> nokeepalive ssl-unclean-shutdown \</tt> 
<tt> downgrade-1.0 force-response-1.0</tt> 
<tt>CustomLog logs/ssl_request_log \</tt> 
<tt> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"</tt> 
<tt></VirtualHost></tt> 
 
</blockquote>
4. test:cgi 
<blockquote><tt>#!/usr/bin/perl 
 
 print "Content-type: text/html\n\n"; 
 print "<tt>\n"; 
 foreach $key (sort keys(%ENV)) { 
 print "$key = $ENV{$key}"; 
 }</tt> 
</blockquote>
 
Any help would be greatly appreciated, thanks, Dave 
-----
</blockquote>
 
</body>
</html>

--------------080609030804000205000103--

FYI. This is a BUG with HTTP:

The problem was related to a
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107 and so I put this
project on hold while waiting for Fedora 13 (with httpd-2.2.14) where they
say the HTTPD BUG is fixed.
------
I simply couldn't wait until April 2010 (Fedora 13 with httpd-2.2.14 )
so I used
an unofficial copy of httpd-2.2.14 on Fedora 12 (and related RPMs) found
here:

[http://hany.sk/~hany/RPM/f-updates-12-i386/httpd-2.2.14-1.f c12.i686.html]

I then installed with the force option of RPM:
{code}
[root [at] James fc12]# ls -tlar

total 1884
drwxr-xr-x. 5 4096 2010-03-02 12:18 ..
-rw-rw-r--. 1 822820 2010-03-02 12:18 httpd-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 146000 2010-03-02 12:18 httpd-devel-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 67880 2010-03-02 12:18 httpd-tools-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 85620 2010-03-02 12:18 mod_ssl-2.2.14-1.fc12.i686.rpm
-rw-rw-r--. 1 787852 2010-03-02 12:18 httpd-manual-2.2.14-1.fc12.noarch.rpm

rpm -iv --force *

[root [at] James fc12]# rpm -qa | grep httpd | sort

httpd-2.2.13-4.fc12.i686
httpd-2.2.14-1.fc12.i686
httpd-devel-2.2.13-4.fc12.i686
httpd-devel-2.2.14-1.fc12.i686
httpd-manual-2.2.13-4.fc12.noarch
httpd-manual-2.2.14-1.fc12.noarch
httpd-tools-2.2.13-4.fc12.i686
httpd-tools-2.2.14-1.fc12.i686}}
{code}

Dirty, but it works.
------

David (Dave) Donnan wrote:
>
> Hello and thanks for all your help in the past.
>
> I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
> really appreciate any help that you can give me. It's incredible to see
> this community helping each other (for FREE !) and I intend to
> participate actively in the future.
>
> I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
> configured httpd for client-side certificate authentication.
>
> Once authenticated, I have the following CGI environment variables:
>
> SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
> David/emailAddress=david.donnan [at] <company>.com/UID=T1234567
>
> SSL_CLIENT_S_DN_CN = DONNAN David
>
> SSL_CLIENT_S_DN_Email = david.donnan [at] <company>.com
>
> SSL_CLIENT_S_DN_O = <organization>
>
> ...
>
> However, the following variable is not instantiated :
>
> SSL_CLIENT_S_DN_UID
>
> Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
>
> Q1. Can anyone help me instantiate this variable - is there further
> apache HTTPD configuration to be done ?
>
> _/*Notes:*/_
>
> 1. Last summer I thought the problem was related to the following BUG
> and so I put this project on hold:
>
> https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
>
> Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
>
> 2. In the past I've had a similar problem with openSSL where I must
> manually change openssl.cnf as follows:
>
> [ new_oids ]
>
> # We can add new OIDs in here for use by 'ca' and 'req'.
> # Add a simple OID like this:
> # testoid1=1.2.3.4
> # Or use config file substitution like this:
> # testoid2=${testoid1}.5.6
> # Following line added by DD Summer 2007
> uid=0.9.2342.19200300.100.1.1
>
> Reference:
> http://www.openldap.org/lists/openldap-software/200309/msg00 422.html
> BIG thanks to Jeff Warnica for the OpenSSL solution.
>
> Q2. Is this related, perhaps ?
>
> 3. /etc/httpd/conf.d/ssl.conf
>
> Listen 0.0.0.0:443
> AddType application/x-x509-ca-cert .crt
> AddType application/x-pkcs7-crl .crl
> SSLPassPhraseDialog builtin
> SSLSessionCache none
> SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
> SSLSessionCacheTimeout 20
> # SSLMutex file:logs/ssl_mutex
> SSLMutex default
> SSLRandomSeed startup builtin
> SSLRandomSeed connect builtin
> SSLCryptoDevice builtin
> <VirtualHost _default_:443>
> ErrorLog logs/ssl_error_log
> TransferLog logs/ssl_access_log
> SSLEngine on
> SSLCipherSuite
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
> SSLCertificateFile /etc/httpd/conf/<hostname>.pem
> SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key
> # SSLCACertificateFile /etc/httpd/conf/ca.pem
> SSLCACertificateFile /etc/httpd/conf/<name>.pem
> SSLVerifyClient require
> SSLVerifyDepth 10
> # SSLUserName SSL_CLIENT_S_DN_Email
> SSLUserName SSL_CLIENT_S_DN
> # SSLUserName SSL_CLIENT_S_DN_CN
> # SSLUserName SSL_CLIENT_S_DN_UID
> # SSLUserName SSL_CLIENT_S_DN_NID_userId
> <Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
> </Files>
> <Directory "/var/www/cgi-bin">
> SSLOptions +StdEnvVars
> </Directory>
> SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
> CustomLog logs/ssl_request_log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
> </VirtualHost>
>
> 4. test:cgi
>
> #!/usr/bin/perl
>
> print "Content-type: text/html\n\n";
> print "<tt>\n";
> foreach $key (sort keys(%ENV)) {
> print "$key = $ENV{$key}";
> }
>
>
> Any help would be greatly appreciated, thanks, Dave
> -----
>
>

--
View this message in context: http://old.nabble.com/-users%40httpd--SSL_CLIENT_S_DN_UID-no t-available-with-client-certificate-authentication-tp2774530 2p27985263.html
Sent from the Apache HTTP Server - Users mailing list archive at Nabble.com.

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd.apache.org
" from the digest: users-digest-unsubscribe [at] httpd.apache.org
For additional commands, e-mail: users-help [at] httpd.apache.org

SSL_CLIENT_S_DN_UID not available with client certificate authentication

Re: SSL_CLIENT_S_DN_UID not available with client certificateauthentication

Re: SSL_CLIENT_S_DN_UID not available with clientcertificate authentication