ID: 42552 User updated by: weisz at vcpc dot univie dot ac dot at Reported By: weisz at vcpc dot univie dot ac dot at -Status: Feedback +Status: Open Bug Type: Apache2 related Operating System: Linux PHP Version: 5.2.6 New Comment:
No it's definitley not a PHP bug. It just popped up with the PHP function apache_getenv(). Your answer citing the discussion entry lead me to the right culprit, even so the patch proposed there is too short sighted for a real solution. My patch submitted to Apache takes care of all single DN components with potentially multiple entries (_DN_x_n, x any DN component, n integer). Previous Comments: ------------------------------------------------------------------------ [2008-09-28 22:59:07] [EMAIL PROTECTED] So it is actually not a php bug? ------------------------------------------------------------------------ [2008-09-28 19:46:42] weisz at vcpc dot univie dot ac dot at The problem is solved by a patch I submitted for Apache bug #45875 (see <https://issues.apache.org/bugzilla/show_bug.cgi?id=45875>). ------------------------------------------------------------------------ [2008-09-24 14:06:05] weisz at vcpc dot univie dot ac dot at After a digging through the sources pertinent to the functions apache_getenv() and the related Apache sources the problem picture Bug 45875 appears as follows: apache_getenv relies on the function apr_table_get() which retrieves the values of entries into a table generated by the Apache function ssl_hook_Fixeup(). The latter doesn't take care of DN component entries that may occur multiple times. I've thus submitted bug report #45875 to Apache. But please don't yet close this present bug since an outcome could be a reply from Apache indicating a different way to access the certificate components made accessible since Apache HTTP 2.1 that could provide a solution on the PHP side. I'll turn back to PHP after getting a reply from Apache. ------------------------------------------------------------------------ [2008-09-23 18:23:39] weisz at vcpc dot univie dot ac dot at The proposed patch is only a dirty one (it restricts the number of OUs to 2 and the DN members with multiplicity to OU), and it unnecessarily puts the check in the wrong place. I checked the relevant code in ssl_engine_kernel.c and especially ssl_engine_vars.c. The function ssl_var_lookup_ssl_cert_dn() in ssl_engine_vars.c takes care of the retrieving of the DN subentries and I couldn't find a flaw when analysing its code (Apache 2.2.8 and 2.2.9 which I've tried both and got the same result). Where in the PHP code is the connection to the top level function ssl_var_lookup() that descends in multiple steps to ssl_var_lookup_ssl_cert_dn()? ------------------------------------------------------------------------ [2008-09-23 00:13:30] [EMAIL PROTECTED] I do not see why PHP would not fetch these vars if apache made them available. Have you tried: http://www.mail-archive.com/[EMAIL PROTECTED]/msg17637.html ------------------------------------------------------------------------ The remainder of the comments for this report are too long. To view the rest of the comments, please view the bug report online at http://bugs.php.net/42552 -- Edit this bug report at http://bugs.php.net/?id=42552&edit=1
