198480 – FakeBasicAuth does not respect SSLUserName when using certificate based auth

Bug 198480 - FakeBasicAuth does not respect SSLUserName when using certificate based auth

Summary: FakeBasicAuth does not respect SSLUserName when using certificate based auth

Keywords:
Status:	CLOSED WONTFIX
Alias:	None
Product:	Red Hat Enterprise Linux 4
Classification:	Red Hat
Component:	mod_ssl
Sub Component:
Version:	4.0
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	high
Target Milestone:	---
Target Release:	---
Assignee:	Joe Orton
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2006-07-11 13:31 UTC by Jim Perrin
Modified:	2007-11-30 22:07 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2006-09-05 19:46:50 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
Patch adapted from upstream (1.17 KB, patch) 2006-07-11 13:31 UTC, Jim Perrin	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Apache Bugzilla	31418	0	None	None	None	Never

Description Jim Perrin 2006-07-11 13:31:21 UTC

Description of problem:
When using certificate based authentication with mod_ssl, FakeBasicAuth will
ONLY use the subject DN of the certificate. In some cases this results in
absolutely horrid usernames. SSLUserName should be honored when using
FakeBasicAuth. Related upstream bug is
http://issues.apache.org/bugzilla/show_bug.cgi?id=31418

Version-Release number of selected component (if applicable):
2.0.52-22

How reproducible:
Always

Steps to Reproduce:
1. Enable SSLVerifyClient in /etc/httpd/conf.d/ssl.conf
2. Enable FakeBasicAuth in SSLOptions in /etc/httpd/conf.d/ssl.conf
3. Set SSLUserName to SSL_CLIENT_S_DN_CN
4. Log in with certificate
  
Actual results:
Username is still Subject DN

Expected results:
Username = value set in SSLUserName

Additional info:
Username should be configurable to various fields in the certificate with
FakeBasicAuth to make administration and integration easier.

Comment 1 Jim Perrin 2006-07-11 13:31:21 UTC

Created attachment 132237 [details]
Patch adapted from upstream

Comment 3 RHEL Program Management 2006-09-05 19:33:40 UTC

The component this request has been filed against is not planned for inclusion
in the next update. The decision is based on weighting the priority and number
of requests for a component as well as the impact on the Red Hat Enterprise
Linux user-base: other components are considered having higher priority and the
number of changes we intend to include in update cycles is limited.

Comment 4 RHEL Program Management 2006-09-05 19:46:50 UTC

Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request.

Comment 5 Jim Perrin 2006-09-06 18:41:28 UTC

This is for an ongoing HSPD-12 implementation, and is fairly important. This has
been opened via paid support as well. If there's a technical reason with why
this isn't being implemented, or it causes issues, but WONTFIX for a paid
support sister issue  for HSPD-12 compliance with no reason leaves a very bitter
taste. This is a good patch that works with no interference to any user other
than people  using pki authentication, and for them it provides more options. I
fail to see the  problem here.

Comment 6 Jim Perrin 2006-09-06 19:11:44 UTC

BZ is apparently not allowing me to re-open this ticket, even though I'm the
original submitter. Consider it reopened please.

Note You need to log in before you can comment on or make changes to this bug.