Red Hat Bugzilla – Bug 198480
FakeBasicAuth does not respect SSLUserName when using certificate based auth
Last modified: 2007-11-30 17:07:26 EST
Description of problem:
When using certificate based authentication with mod_ssl, FakeBasicAuth will
ONLY use the subject DN of the certificate. In some cases this results in
absolutely horrid usernames. SSLUserName should be honored when using
FakeBasicAuth. Related upstream bug is
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Enable SSLVerifyClient in /etc/httpd/conf.d/ssl.conf
2. Enable FakeBasicAuth in SSLOptions in /etc/httpd/conf.d/ssl.conf
3. Set SSLUserName to SSL_CLIENT_S_DN_CN
4. Log in with certificate
Username is still Subject DN
Username = value set in SSLUserName
Username should be configurable to various fields in the certificate with
FakeBasicAuth to make administration and integration easier.
Created attachment 132237 [details]
Patch adapted from upstream
The component this request has been filed against is not planned for inclusion
in the next update. The decision is based on weighting the priority and number
of requests for a component as well as the impact on the Red Hat Enterprise
Linux user-base: other components are considered having higher priority and the
number of changes we intend to include in update cycles is limited.
Product Management has reviewed and declined this request. You may appeal this
decision by reopening this request.
This is for an ongoing HSPD-12 implementation, and is fairly important. This has
been opened via paid support as well. If there's a technical reason with why
this isn't being implemented, or it causes issues, but WONTFIX for a paid
support sister issue for HSPD-12 compliance with no reason leaves a very bitter
taste. This is a good patch that works with no interference to any user other
than people using pki authentication, and for them it provides more options. I
fail to see the problem here.
BZ is apparently not allowing me to re-open this ticket, even though I'm the
original submitter. Consider it reopened please.