A flaw was reported in the way mod_nss handled FakeBasicAuth NSSOption. Unlike mod_ssl, mod_nss only used CommonName from a client certificate's subject, rather than the whole subject DN. This made safety check inherited from mod_ssl that ensured client can not submit username and password generated by FakeBasicAuth via Authorization header without actually providing valid client certificate. Further details are in the Jared Jennings' post to the mod_nss mailing list: https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html Problem was corrected in the following upstream git commit: https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=a6c3370491ae1d3bc552e8de9353c82f73e510e3 This fix is not yet included in any released mod_nss version. The last released version to date is 1.0.8 from Jul 2008. This problem was already corrected in Red Hat Enterprise Linux 5 and 6 mod_nss packages via the following errata: https://rhn.redhat.com/errata/RHBA-2011-1656.html https://rhn.redhat.com/errata/RHBA-2013-0009.html
It should be noted that after the fix, any htpasswd file that was created for use with older mod_nss version (i.e. file that only contains CN for user name) need to be changed to use full DN. This is required to both make authentication work for valid users authenticating using client certificates, as well as to address the authentication bypass.
Created mod_nss tracking bugs for this issue: Affects: fedora-all [bug 1017675]