DO NOT REPLY [Bug 45107] New: Client certificate attribute UID not usable in env var SSL_CLIENT_S_DN_UID since wrong NID /OID assigned

Sat, 31 May 2008 04:04:27 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=45107

           Summary: Client certificate attribute UID not usable in env var
                    SSL_CLIENT_S_DN_UID since wrong NID/OID assigned
           Product: Apache httpd-2
           Version: 2.2.8
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: mod_ssl
        AssignedTo: [email protected]
        ReportedBy: [EMAIL PROTECTED]


Created an attachment (id=22042)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=22042)
Patch for mod_ssl: Map attribute name "UID" to NID_userId

When connecting with a client certificate which contains attribute UID in its
subject-DN the following env vars are set:
SSL_CLIENT_S_DN: /O=Company Name/OU=Authc/UID=userid/CN=Full name
SSL_CLIENT_S_DN_UID: (none)

>From discussion on modssl-users list I've learned that SSL_CLIENT_S_DN contains
the string representation of the subject-DN generated by OpenSSL libs and
SSL_CLIENT_S_DN_UID is set by mod_ssl.

Furthermore I've learned that SSL_CLIENT_S_DN_UID is set by mod_ssl based on
attribute 'x500UniqueIdentifier' (OID 2.5.4.45). I consider this to be
seriously broken because the syntax assigned to attribute type
'x500UniqueIdentifier' (OID 2.5.4.45) is 'Bit String' (OID
1.3.6.1.4.1.1466.115.121.1.6) which cannot be used to store a user ID with
characters like 'ABCDEF'.

See also http://www.alvestrand.no/objectid/2.5.4.45.html

Furthermore RFC 4514 contains a table of short and long attribute type names
and their OIDs (end of chapter 3). See the relevant excerpt:

String  X.500 AttributeType
      ------  --------------------------------------------
[..]
      UID     userId (0.9.2342.19200300.100.1.1)

So please consider the patch attached to be applied to mod_ssl to fix this bug.

Thanks in advance.

Ciao, Michael.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to