I've had a user hit this: with FakeBasicAuth the client DN gets
translated into a Basic auth blob of base64("username:password"), which
then fails when the username part contains a ":" colon character.
At minimum mod_ssl could/should catch and fail auth under FakeBasicAuth
when DN is seen with a ":", that's easy enough. We *could* also try
escaping the colon, but that introduces an inevitable ambiguity since
there is no escaping standard.
One approach would be to escape any colon in the DN by replacing with
some unusual character sequence ("@@@@" or whatever) and then only fail
for unescaped DNs which contain that sequence to avoid ambiguity
problems.
Any opinions before I hack something up?
Probably the "correct" way to approach this problem is using Graham's
nice hacks in the trunk to allow users to construct an appropriate
username:password blog based on expressions:
http://svn.apache.org/viewvc?view=revision&revision=r1457471
but even that does not actually protect against the "colon problem".
Regards, Joe
