Bug 198480 - FakeBasicAuth does not respect SSLUserName when using certificate based auth
FakeBasicAuth does not respect SSLUserName when using certificate based auth
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: mod_ssl (Show other bugs)
4.0
All Linux
medium Severity high
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-07-11 09:31 EDT by Jim Perrin
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-09-05 15:46:50 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Patch adapted from upstream (1.17 KB, patch)
2006-07-11 09:31 EDT, Jim Perrin
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Apache Bugzilla 31418 None None None Never

  None (edit)
Description Jim Perrin 2006-07-11 09:31:21 EDT
Description of problem:
When using certificate based authentication with mod_ssl, FakeBasicAuth will
ONLY use the subject DN of the certificate. In some cases this results in
absolutely horrid usernames. SSLUserName should be honored when using
FakeBasicAuth. Related upstream bug is
http://issues.apache.org/bugzilla/show_bug.cgi?id=31418

Version-Release number of selected component (if applicable):
2.0.52-22

How reproducible:
Always

Steps to Reproduce:
1. Enable SSLVerifyClient in /etc/httpd/conf.d/ssl.conf
2. Enable FakeBasicAuth in SSLOptions in /etc/httpd/conf.d/ssl.conf
3. Set SSLUserName to SSL_CLIENT_S_DN_CN
4. Log in with certificate
  
Actual results:
Username is still Subject DN

Expected results:
Username = value set in SSLUserName

Additional info:
Username should be configurable to various fields in the certificate with
FakeBasicAuth to make administration and integration easier.
Comment 1 Jim Perrin 2006-07-11 09:31:21 EDT
Created attachment 132237 [details]
Patch adapted from upstream
Comment 3 RHEL Product and Program Management 2006-09-05 15:33:40 EDT
The component this request has been filed against is not planned for inclusion
in the next update. The decision is based on weighting the priority and number
of requests for a component as well as the impact on the Red Hat Enterprise
Linux user-base: other components are considered having higher priority and the
number of changes we intend to include in update cycles is limited.
Comment 4 RHEL Product and Program Management 2006-09-05 15:46:50 EDT
Product Management has reviewed and declined this request.  You may appeal this
decision by reopening this request. 
Comment 5 Jim Perrin 2006-09-06 14:41:28 EDT
This is for an ongoing HSPD-12 implementation, and is fairly important. This has
been opened via paid support as well. If there's a technical reason with why
this isn't being implemented, or it causes issues, but WONTFIX for a paid
support sister issue  for HSPD-12 compliance with no reason leaves a very bitter
taste. This is a good patch that works with no interference to any user other
than people  using pki authentication, and for them it provides more options. I
fail to see the  problem here. 
Comment 6 Jim Perrin 2006-09-06 15:11:44 EDT
BZ is apparently not allowing me to re-open this ticket, even though I'm the
original submitter. Consider it reopened please. 

Note You need to log in before you can comment on or make changes to this bug.