Full_Name: Jan Dundacek
Version: mod_ssl-2.8.0-1.3.17
OS: Red Hat Linux 6.2
Submission from: (NULL) (194.149.101.194)
I have a problem with autentificaton based on client
certificates using FakeBasicAuth and mod_auth.
When I use SSLRequire %{SSL_CLIENT_S_DN} eq "..."
instead of mod_auth, it works.
1. Configuration:
...
AuthName Private
AuthType Basic
AuthUserFile /home/dundacek/etc/pass
require valid-user
SSLOptions +FakeBasicAuth
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /home/dundacek/apache/conf/ssl.crt/ca.crt
...
2. /home/dundacek/etc/pass:
/C=CZ/ST=33/L=Borac/O=PVT/OU=VPV/CN=Jan
[EMAIL PROTECTED]:xxj31ZMTZzkVA
3. ssl_engine_log:
[28/Feb/2001 16:21:56 01136] [info] Connection to child 0 established (server
p70u01.brn.pvt.cz:8443, client 172.17.41.99)
[28/Feb/2001 16:21:56 01136] [info] Seeding PRNG with 1160 bytes of entropy
[28/Feb/2001 16:21:56 01136] [info] Connection: Client IP: 172.17.41.99,
Protocol: SSLv3, Cipher: RC4-MD5 (128/128 bits)
[28/Feb/2001 16:21:56 01136] [info] Initial (No.1) HTTPS request received for
child 0 (server p70u01.brn.pvt.cz:8443)
[28/Feb/2001 16:21:56 01136] [info] JD: start
[28/Feb/2001 16:21:56 01136] [info] Faking HTTP Basic Auth header:
"Authorization: Basic
L0M9Q1ovU1Q9MzMvTD1Cb3JhYy9PPVBWVC9PVT1WUFYvQ049SmFuIER1bmRhY2VrL0VtYW
lsPUphbi5EdW5kYWNla0BwdnQuY3o6cGFzc3dvcmQ"
[28/Feb/2001 16:21:56 01136] [info] JD: declined 6
[28/Feb/2001 16:21:56 01136] [info] JD: start
[28/Feb/2001 16:21:56 01136] [info] JD: forbidden 2
[28/Feb/2001 16:21:56 01136] [info] Connection to child 0 closed with unclean
shutdown (server p70u01.brn.pvt.cz:8443, client 172.17.41.99)
4. I added some "JD:" messages to ssl_engine_kernel.c,
function ssl_hook_Auth:
...
ssl_log(r->server, SSL_LOG_INFO, "JD: start");
if ( (dc->nOptions & SSL_OPT_STRICTREQUIRE)
&& (ap_table_get(r->notes, "ssl-access-forbidden") != NULL)) {
ssl_log(r->server, SSL_LOG_INFO, "JD: forbidden 1");
return FORBIDDEN;
}
...
if ((cpAL = ap_table_get(r->headers_in, "Authorization")) != NULL) {
if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
while (*cpAL == ' ' || *cpAL == '\t')
cpAL++;
cpAL = ap_pbase64decode(r->pool, cpAL);
cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
cpPW = cpAL;
if (cpUN[0] == '/' && strEQ(cpPW, "password")) {
ssl_log(r->server, SSL_LOG_INFO, "JD: forbidden 2");
return FORBIDDEN;
}
}
}
/*
* We decline operation in various situations...
*/
if (!sc->bEnabled) {
ssl_log(r->server, SSL_LOG_INFO, "JD: declined 1");
return DECLINED;
}
if (ap_ctx_get(r->connection->client->ctx, "ssl") == NULL) {
ssl_log(r->server, SSL_LOG_INFO, "JD: declined 2");
return DECLINED;
}
if (!(dc->nOptions & SSL_OPT_FAKEBASICAUTH)) {
ssl_log(r->server, SSL_LOG_INFO, "JD: declined 3");
return DECLINED;
}
if (r->connection->user) {
ssl_log(r->server, SSL_LOG_INFO, "JD: declined 4");
return DECLINED;
}
if ((clientdn = (char *)ap_ctx_get(r->connection->client->ctx,
"ssl::client:
:dn")) == NULL) {
ssl_log(r->server, SSL_LOG_INFO, "JD: declined 5");
return DECLINED;
}
ap_snprintf(b1, sizeof(b1), "%s:password", clientdn);
ssl_util_uuencode(b2, b1, FALSE);
ap_snprintf(b1, sizeof(b1), "Basic %s", b2);
ap_table_set(r->headers_in, "Authorization", b1);
ssl_log(r->server, SSL_LOG_INFO,
"Faking HTTP Basic Auth header: \"Authorization: %s\"", b1);
ssl_log(r->server, SSL_LOG_INFO, "JD: declined 6");
return DECLINED;
}
5. It seems that this function is called twice and for
the second time it returns FORBIDDEN ...
6. When I change order of mod_ssl and mod_auth in AddModule
and type subject of client certificate and "password"
by hand, it works. So /home/dundacek/etc/pass file
seems to be OK.
Can you help me, please?
Thank you
Jan
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
