Bug 55593

Summary: Can not read SSL environment variables
Product: [Retired] Red Hat Linux Reporter: Need Real Name <support>
Component: apacheAssignee: Nalin Dahyabhai <nalin>
Status: CLOSED NOTABUG QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: high    
Version: 7.1Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: i686   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2001-11-09 22:45:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Need Real Name 2001-11-02 17:08:31 UTC 
Description of Problem:

I have Apache compiled with mod_ssl and can not read the SSL environment 
variables in a https://www.xxx.xxx environment.  This means that I can not 
read information about different types of browser certificates required to 
access certain sites.

On a Redhat 6.2 system with a 2.2.x kernel, I could execute the following 
code in a cgi script:

if (( $ENV{SSL_CLIENT_S_DN} !~ /O=Apache Certificate Access Control/)
        && ( $ENV{SSL_CLIENT_S_DN} !~ /O=OTR Communications/)
        && ( $ENV{SSL_CLIENT_S_DN} !~ /O=OTR Comm/)
        && ( $ENV{SSL_CLIENT_S_DN} !~ /O=Wild Apache/)
        && ( $ENV{SSL_CLIENT_S_DN} !~ /O=Wild Apache\, Inc./)
        && ( $ENV{SSL_CLIENT_S_DN} !~ /O=Wild Apache Internet/)
        && ( $ENV{SSL_CLIENT_S_DN} !~ /O=Wild Apache Internet Service/)) {

and look at the Organization/Company of the certificate presented to the 
site.  Then I could make decisions on where to send a given user based on 
the SSL environment variable SSL_CLIENT_S_DN.  Under Redhat 7.1 with a 
2.4.x kernel, the SSL environment variables are not available.  This is 
serious!!

Version-Release number of selected component (if applicable):


How Reproducible:
Out of the box Redhat 7.1 wiht latest rpm updates and kernel 2.4.9-6

Steps to Reproduce:
1. Recompile Apache with mod_ssl and setup secure server site

2. Try to read SSL environment variables with a script called Env.cgi:

#!/usr/bin/perl

print <<EOF;
Content-type: text/html

<HTML><HEAD>
<TITLE>Environment, port 443, with certificate based access control</TITLE>
</HEAD>

<BODY>
<H1>Environment, port 443, with certificate based access control</H1>

<P>
<HR>
<PRE>
========================================
EOF

foreach $var ( keys %ENV ) {

  print "$var=$ENV{$var}\n" ;

}
print <<EOF;
========================================
</PRE>
<HR>
</BODY>
</HTML>
EOF


3. Go to this script at https://www.xxx.xxx/Env.cgi

Actual Results:

Environment, port 443, with certificate based access control


---------------------------------------------------------------------------
-----

========================================
QUERY_STRING=
SERVER_ADDR=209.145.208.15
HTTP_ACCEPT_LANGUAGE=en-us, en-us
SERVER_PROTOCOL=HTTP/1.1
HTTP_CONNECTION=Keep-Alive
SERVER_SIGNATURE=
REMOTE_PORT=63937
HTTP_ACCEPT=application/vnd.ms-excel, image/gif, image/x-xbitmap, 
image/jpeg, image/pjpeg, application/msword, */*
HTTP_USER_AGENT=Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt; 
WAN00)
GATEWAY_INTERFACE=CGI/1.1
HTTP_HOST=www.wildapache.com
SERVER_SOFTWARE=Apache/1.3.20 (Unix) mod_ssl/2.8.4 OpenSSL/0.9.6a 
mod_perl/1.25
SERVER_ADMIN=sysadmin
REMOTE_USER=otrcomm
REMOTE_ADDR=209.145.208.2
SCRIPT_NAME=/userlist/Env.cgi
SERVER_NAME=www.wildapache.com
HTTP_ACCEPT_ENCODING=gzip, deflate, gzip, deflate
HTTPS=on
DOCUMENT_ROOT=/usr/local/apache/share/htdocs/wildapache.com
REQUEST_URI=/userlist/Env.cgi
REQUEST_METHOD=GET
SCRIPT_FILENAME=/usr/local/apache/share/htdocs/wildapache.com/userlist/Env.
cgi
PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/kerberos/sbin:/usr/kerberos/bin:/
usr/bin:/bin:/usr/local/bin:/usr/X11R6/bin:/root/bin
AUTH_TYPE=Basic
SERVER_PORT=443
========================================


Expected Results:

Should show all my SSL environment variables and their values, but none 
show up.

Additional Information:
Comment 1 Bill Nottingham 2001-11-02 19:12:35 UTC 
*** Bug 55594 has been marked as a duplicate of this bug. ***
Comment 2 Need Real Name 2001-11-02 19:47:39 UTC 
Question:  If 55594 has been closed because it is a duplicate to 55593 (the 
current bug), will 55594 remain active until a resolution is defined?
Comment 3 Need Real Name 2001-11-05 16:32:07 UTC 
Does any one have any ideas about this issue or is it just sitting in someone's 
queue?  We have to be able to access the SSL environment variables.  Please 
look into this and let me know if there is a fix for it.
Comment 4 Need Real Name 2001-11-09 22:36:57 UTC 
Is anyone working on this, or do I just write of Redhat and go to some other 
version of Linux???
Comment 5 Arjan van de Ven 2001-11-09 22:45:32 UTC 
I'm sorry to say this, but I think you're using the wrong mechanism; bugzilla is
for reporting bugs, not for support. The URL for support is at
http://www.redhat.com/support and I'm sure the people from support can help you
on a much more timely way.
Comment 6 Mark J. Cox 2001-11-10 08:19:43 UTC 
Firstly you say you're working with a *recompiled* version of Apache and
mod_ssl, not the ones that are distributed with Red Hat Linux; therefore this is
not an OS issue, it's an issue with your compilation or subsequent configuration.   

Secondly, mod_ssl has a directive to control the exporting of SSL environment
variables; by default mod_ssl does not export SSL environment variables.  Check
your config file, and the mod_ssl documentation.  

If environment variable exporting does not work with the default Red Hat Linux
configuration and RPM's please let us know.