Oups, upon closer inspection of the BUG found here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
I see the following at the bottom:
This issue was fixed in 2.2.x branch with r811812
<https://svn.apache.org/viewcvs.cgi?view=rev&rev=811812> and will
ship with httpd 2.2.14.
Assuming the BUG is, in fact, my problem I'll wait and test with 2.2.14.
Sorry, I was testing with 2.2.13.
Cdlt, Dave
----
David (Dave) Donnan wrote:
Hello and thanks for all your help in the past.
I'm an x SUN (iplanet/Sun ONE) employee retraining on OpenSource so I
really appreciate any help that you can give me. It's incredible to see
this community helping each other (for FREE !) and I intend to
participate actively in the future.
I've installed Fedora 12 with apache httpd-2.2.13-4.fc12.i686. I've
configured httpd for client-side certificate authentication.
Once authenticated, I have the following CGI environment variables:
SSL_CLIENT_S_DN = /O=<organization>/CN=DONNAN
David/emailAddress=david.donnan@<company>.com/UID=T1234567
SSL_CLIENT_S_DN_CN = DONNAN David
SSL_CLIENT_S_DN_Email = david.donnan@<company>.com
SSL_CLIENT_S_DN_O = <organization>
...
However, the following variable is not instantiated :
SSL_CLIENT_S_DN_UID
Note that it appears, in fact, in SSL_CLIENT_S_DN (at the end) !!
Q1. Can anyone help me instantiate this variable - is there further
apache HTTPD configuration to be done ?
_/*Notes:*/_
1. Last summer I thought the problem was related to the following BUG
and so I put this project on hold:
https://issues.apache.org/bugzilla/show_bug.cgi?id=45107
Hence why I've waited for Fedora 12 where they say the above BUG is fixed.
2. In the past I've had a similar problem with openSSL where I must
manually change openssl.cnf as follows:
[ new_oids ]
# We can add new OIDs in here for use by 'ca' and 'req'.
# Add a simple OID like this:
# testoid1=1.2.3.4
# Or use config file substitution like this:
# testoid2=${testoid1}.5.6
# Following line added by DD Summer 2007
uid=0.9.2342.19200300.100.1.1
Reference:
http://www.openldap.org/lists/openldap-software/200309/msg00422.html
BIG thanks to Jeff Warnica for the OpenSSL solution.
Q2. Is this related, perhaps ?
3. /etc/httpd/conf.d/ssl.conf
Listen 0.0.0.0:443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog builtin
SSLSessionCache none
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 20
# SSLMutex file:logs/ssl_mutex
SSLMutex default
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
<VirtualHost _default_:443>
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP
SSLCertificateFile /etc/httpd/conf/<hostname>.pem
SSLCertificateKeyFile /etc/httpd/conf/<hostname>.key
# SSLCACertificateFile /etc/httpd/conf/ca.pem
SSLCACertificateFile /etc/httpd/conf/<name>.pem
SSLVerifyClient require
SSLVerifyDepth 10
# SSLUserName SSL_CLIENT_S_DN_Email
SSLUserName SSL_CLIENT_S_DN
# SSLUserName SSL_CLIENT_S_DN_CN
# SSLUserName SSL_CLIENT_S_DN_UID
# SSLUserName SSL_CLIENT_S_DN_NID_userId
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/var/www/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>
4. test:cgi
#!/usr/bin/perl
print "Content-type: text/html\n\n";
print "<tt>\n";
foreach $key (sort keys(%ENV)) {
print "$key = $ENV{$key}<p>";
}
Any help would be greatly appreciated, thanks, Dave
-----
