Joe,
many thanks for your response.
Joe Orton wrote:
On Mon, May 19, 2008 at 10:13:45AM +0200, Michael Ströder wrote:
Maybe I'm overlooking the obvious but it seems that env var
SSL_CLIENT_S_DN_UID is not set when using a client cert for authentication.
The following env vars displayed in my SSI HTML text are relevant here
(obfuscated to protect privacy):
SSL_CLIENT_S_DN: /O=Company Name/OU=Authc/UID=userid/CN=Full name
SSL_CLIENT_S_DN_UID: (none)
Is it caused by UID not being the leaf RDN?
That shouldn't make any difference.
Ok, fine.
What versions of OpenSSL and httpd/mod_ssl are you using?
Actually pre-built RPMs shipped with openSUSE 10.3:
# rpm -q openssl apache2
openssl-0.9.8e-45.5
apache2-2.2.4-70.4
Not sure whether these RPMs are based on sources patched by openSUSE.
The "UID" DN tag is ambiguous and probably
maps to something other than what your subject DN uses.
In the current 2.x mod_ssl sources, UID maps to:
#ifdef NID_x500UniqueIdentifier /* new name as of Openssl 0.9.7 */
{ "UID", NID_x500UniqueIdentifier },
#else /* old name, OpenSSL < 0.9.7 */
{ "UID", NID_uniqueIdentifier },
#endif
Hmm, the user ID is already stored by mod_ssl with attribute name "UID"
in env var SSL_CLIENT_S_DN. Given that it's OpenSSL 0.9.8 and that the
attribute type seems to be interpreted as UID is it safe to assume that
the cert contains the right OID?
If NID_x500UniqueIdentifier maps to OID 2.5.4.45 it's plain wrong anyway...
Ciao, Michael.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager [EMAIL PROTECTED]
