From b5ecd6a0380987ea9a39e1667cca7b06695ce662 Mon Sep 17 00:00:00 2001 From: Graham Leggett Date: Fri, 11 Jan 2013 22:53:50 +0000 Subject: [PATCH] mod_ssl: Allow the SSLUserName to be used to control the username passed by the FakeBasicAuth option. PR52616. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1432322 13f79535-47bb-0310-9956-ffa450edef68 --- docs/log-message-tags/next-number | 2 +- docs/manual/mod/mod_ssl.xml | 21 ++++++++++++--------- modules/ssl/ssl_engine_kernel.c | 18 +++++++++++++++--- 3 files changed, 28 insertions(+), 13 deletions(-) diff --git a/docs/log-message-tags/next-number b/docs/log-message-tags/next-number index 51d5790fa9..ad9c931523 100644 --- a/docs/log-message-tags/next-number +++ b/docs/log-message-tags/next-number @@ -1 +1 @@ -2434 +2435 diff --git a/docs/manual/mod/mod_ssl.xml b/docs/manual/mod/mod_ssl.xml index 9697b26ee8..91b8be3d41 100644 --- a/docs/manual/mod/mod_ssl.xml +++ b/docs/manual/mod/mod_ssl.xml @@ -1282,12 +1282,15 @@ The available options are:

be used for access control. The user name is just the Subject of the Client's X509 Certificate (can be determined by running OpenSSL's openssl x509 command: openssl x509 -noout -subject -in - certificate.crt). Note that no password is - obtained from the user. Every entry in the user file needs this password: - ``xxj31ZMTZzkVA'', which is the DES-encrypted version of the - word `password''. Those who live under MD5-based encryption - (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5 - hash of the same word: ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.

+ certificate.crt). The optional SSLUserName directive can be used to + specify which part of the certificate Subject is embedded in the username. + Note that no password is obtained from the user. Every entry in the user + file needs this password: ``xxj31ZMTZzkVA'', which is the + DES-encrypted version of the word `password''. Those who + live under MD5-based encryption (for instance under FreeBSD or BSD/OS, + etc.) should use the following MD5 hash of the same word: + ``$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/''.

  • StrictRequire

    @@ -2039,9 +2042,9 @@ string. In particular, this may cause the environment variable REMOTE_USER to be set. The varname can be any of the SSL environment variables.

    -

    Note that this directive has no effect if the -FakeBasicAuth option is used (see SSLOptions).

    +

    When the FakeBasicAuth option is enabled, this directive +instead controls the value of the username embedded within the basic +authentication header (see SSLOptions).

    Example diff --git a/modules/ssl/ssl_engine_kernel.c b/modules/ssl/ssl_engine_kernel.c index 1b69d4c013..7d26038bbd 100644 --- a/modules/ssl/ssl_engine_kernel.c +++ b/modules/ssl/ssl_engine_kernel.c @@ -957,7 +957,7 @@ int ssl_hook_UserCheck(request_rec *r) SSLConnRec *sslconn = myConnConfig(r->connection); SSLSrvConfigRec *sc = mySrvConfig(r->server); SSLDirConfigRec *dc = myDirConfig(r); - char *clientdn; + char *user; const char *auth_line, *username, *password; /* @@ -1023,7 +1023,19 @@ int ssl_hook_UserCheck(request_rec *r) OPENSSL_free(cp); } - clientdn = (char *)sslconn->client_dn; + /* use SSLUserName if defined, otherwise use the full client DN */ + if (dc->szUserName) { + user = ssl_var_lookup(r->pool, r->server, r->connection, + r, (char *)dc->szUserName); + if (!user || !user[0]) { + ap_log_rerror( + APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02434) "Failed to set FakeBasicAuth username to '%s', did not exist in certificate", dc->szUserName); + return DECLINED; + } + } + else { + user = (char *)sslconn->client_dn; + } /* * Fake a password - which one would be immaterial, as, it seems, an empty @@ -1038,7 +1050,7 @@ int ssl_hook_UserCheck(request_rec *r) */ auth_line = apr_pstrcat(r->pool, "Basic ", ap_pbase64encode(r->pool, - apr_pstrcat(r->pool, clientdn, + apr_pstrcat(r->pool, user, ":password", NULL)), NULL); apr_table_setn(r->headers_in, "Authorization", auth_line); -- 2.50.1