I'm trying to write an apache authentication module that uses client
certificates for authentication. Basically, all I'm trying to do is use
what mod_ssl does for cert verification, and then set REMOTE_USER. I
wrote to the list last week about a segfault, which was resolved thanks
to the help you guys gave me. Now I am stuck with a problem that is
likely a logic error on my part, but I have a feeling that my problem
stems from a misunderstanding of how apache is supposed to work. Since
my module is very short, I'll include it in this email, along with the
relevant contents of my error_log, in the hopes that someone might be
able to point me in the right direction. Thanks!
-------my module, AuthNx509.pm------------
package Apache::AuthNx509;
use strict;
use Apache::Constants qw(:common);
use Text::ParseWords qw(quotewords);
use Apache::Log ();
sub handler {
my $r = shift;
my $c = $r->connection;
my $log = $r->log;
my $certcomponent = $r->dir_config('CertComponent') ||
'SSL_CLIENT_S_DN_O';
my $certcompvalue = $r->dir_config('CertComponentValue') ||
'University of Wisconsin';
my $usercomponent = $r->dir_config('RemoteUserCertComponent') ||
'SSL_CLIENT_S_DN_CN';
my $uri = $r->uri;
return unless $r->is_main();
my $subr = $r->lookup_uri($uri);
my $apachecertcomp = $subr->subprocess_env($certcomponent);
$log->notice("hello: $apachecertcomp");
if ($apachecertcomp eq $certcompvalue)
{
$log->notice("$certcompvalue good");
$c->user = $r->subprocess_env->{$usercomponent};
$log->notice("$c->user logged in successfully");
return OK;
}
$log->notice("cert no good: $r->subprocess_env->{$certcomponent}");
my $reason = "Client Cert not in correct form";
$r->note_basic_auth_failure;
$r->log_reason($reason, $r->filename);
return DECLINED;
}
1;
__END__
------------------------------
error log data:
Thu Jun 5 14:57:11 2003] [notice] [client 128.104.16.134] hello:
[Thu Jun 5 14:57:11 2003] [notice] [client 128.104.16.134] cert no
good: Apache=SCALAR(0x8100308)->subprocess_env->{SSL_CLIENT_S_DN_C}
[Thu Jun 5 14:57:11 2003] [error] access to /var/www/html/test failed
for 128.104.16.134, reason: Client Cert not in correct form
[Thu Jun 5 14:57:13 2003] [notice] [client 128.104.16.134] hello:
[Thu Jun 5 14:57:13 2003] [notice] [client 128.104.16.134] cert no
good: Apache=SCALAR(0x8100308)->subprocess_env->{SSL_CLIENT_S_DN_C}
[Thu Jun 5 14:57:13 2003] [error] access to /var/www/html/test failed
for 128.104.16.134, reason: Client Cert not in correct form
[Thu Jun 5 14:57:13 2003] [crit] [client 128.104.16.134] configuration
error:
couldn't check user. No user file?: /test/
configuration data (in a <Directory> statement):
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +StrictRequire
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128
# Force clients to use HTTPS
RewriteEngine on
RewriteCond %{HTTPS} !=on
RewriteRule .* - [F]
AuthName Test
AuthType Basic
PerlAuthenHandler Apache::AuthNx509
PerlSetVar CertComponent SSL_CLIENT_S_DN_C
PerlSetVar CertComponentValue US
PerlSetVar RemoteUserCertComponent SSL_CLIENT_S_DN_CN
require valid-user
Any ideas would be most appreciated. Thanks again!
--Ryan
