You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by mi...@apache.org on 2013/01/11 23:53:51 UTC
svn commit: r1432322 - in /httpd/httpd/trunk:
docs/log-message-tags/next-number docs/manual/mod/mod_ssl.xml
modules/ssl/ssl_engine_kernel.c
Author: minfrin
Date: Fri Jan 11 22:53:50 2013
New Revision: 1432322
URL: http://svn.apache.org/viewvc?rev=1432322&view=rev
Log:
mod_ssl: Allow the SSLUserName to be used to control the username passed
by the FakeBasicAuth option. PR52616.
Modified:
httpd/httpd/trunk/docs/log-message-tags/next-number
httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1432322&r1=1432321&r2=1432322&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Fri Jan 11 22:53:50 2013
@@ -1 +1 @@
-2434
+2435
Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1432322&r1=1432321&r2=1432322&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Fri Jan 11 22:53:50 2013
@@ -1282,12 +1282,15 @@ The available <em>option</em>s are:</p>
be used for access control. The user name is just the Subject of the
Client's X509 Certificate (can be determined by running OpenSSL's
<code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
- </code><em>certificate</em><code>.crt</code>). Note that no password is
- obtained from the user. Every entry in the user file needs this password:
- ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
- word `<code>password</code>''. Those who live under MD5-based encryption
- (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
- hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
+ </code><em>certificate</em><code>.crt</code>). The optional <directive
+ module="mod_ssl">SSLUserName</directive> directive can be used to
+ specify which part of the certificate Subject is embedded in the username.
+ Note that no password is obtained from the user. Every entry in the user
+ file needs this password: ``<code>xxj31ZMTZzkVA</code>'', which is the
+ DES-encrypted version of the word `<code>password</code>''. Those who
+ live under MD5-based encryption (for instance under FreeBSD or BSD/OS,
+ etc.) should use the following MD5 hash of the same word:
+ ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
</li>
<li><code>StrictRequire</code>
<p>
@@ -2039,9 +2042,9 @@ string. In particular, this may cause th
<code>REMOTE_USER</code> to be set. The <em>varname</em> can be
any of the <a href="#envvars">SSL environment variables</a>.</p>
-<p>Note that this directive has no effect if the
-<code>FakeBasicAuth</code> option is used (see <a
-href="#ssloptions">SSLOptions</a>).</p>
+<p>When the <code>FakeBasicAuth</code> option is enabled, this directive
+instead controls the value of the username embedded within the basic
+authentication header (see <a href="#ssloptions">SSLOptions</a>).</p>
<example><title>Example</title>
<highlight language="config">
Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1432322&r1=1432321&r2=1432322&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Jan 11 22:53:50 2013
@@ -957,7 +957,7 @@ int ssl_hook_UserCheck(request_rec *r)
SSLConnRec *sslconn = myConnConfig(r->connection);
SSLSrvConfigRec *sc = mySrvConfig(r->server);
SSLDirConfigRec *dc = myDirConfig(r);
- char *clientdn;
+ char *user;
const char *auth_line, *username, *password;
/*
@@ -1023,7 +1023,19 @@ int ssl_hook_UserCheck(request_rec *r)
OPENSSL_free(cp);
}
- clientdn = (char *)sslconn->client_dn;
+ /* use SSLUserName if defined, otherwise use the full client DN */
+ if (dc->szUserName) {
+ user = ssl_var_lookup(r->pool, r->server, r->connection,
+ r, (char *)dc->szUserName);
+ if (!user || !user[0]) {
+ ap_log_rerror(
+ APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02434) "Failed to set FakeBasicAuth username to '%s', did not exist in certificate", dc->szUserName);
+ return DECLINED;
+ }
+ }
+ else {
+ user = (char *)sslconn->client_dn;
+ }
/*
* Fake a password - which one would be immaterial, as, it seems, an empty
@@ -1038,7 +1050,7 @@ int ssl_hook_UserCheck(request_rec *r)
*/
auth_line = apr_pstrcat(r->pool, "Basic ",
ap_pbase64encode(r->pool,
- apr_pstrcat(r->pool, clientdn,
+ apr_pstrcat(r->pool, user,
":password", NULL)),
NULL);
apr_table_setn(r->headers_in, "Authorization", auth_line);
Re: svn commit: r1432322 - in /httpd/httpd/trunk: docs/log-message-tags/next-number
docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c
Posted by Kaspar Brand <ht...@velox.ch>.
On 11.01.2013 23:53, minfrin@apache.org wrote:
> Author: minfrin
> Date: Fri Jan 11 22:53:50 2013
> New Revision: 1432322
>
> URL: http://svn.apache.org/viewvc?rev=1432322&view=rev
> Log:
> mod_ssl: Allow the SSLUserName to be used to control the username passed
> by the FakeBasicAuth option. PR52616.
[...]
> -<p>Note that this directive has no effect if the
> -<code>FakeBasicAuth</code> option is used (see <a
> -href="#ssloptions">SSLOptions</a>).</p>
> +<p>When the <code>FakeBasicAuth</code> option is enabled, this directive
> +instead controls the value of the username embedded within the basic
> +authentication header (see <a href="#ssloptions">SSLOptions</a>).</p>
This patch changes the semantics of the FakeBasicAuth option in a
non-obvious, but potentially backwards-incompatible/surprising way -
imagine an existing configuration where SSLUserName is lying around and
FakeBasicAuth is set (i.e., the former directive is ineffective /
ignored by current mod_ssl versions). If someone is upgrading, then all
of a sudden, the existing DN entries in an authn file become invalid,
and if other (non-DN-based) entries are present which happen to map to
the attribute specified with SSLUserName, cert-based authentication
might allow access which wasn't intended in the first place.
I would prefer a more explicit way of configuring this option (perhaps
an additional SSLOption which is mutually exclusive with FakeBasicAuth).
At least for the 2.4 backport, I think it's not appropriate to change
the behavior in this rather silent way.
Kaspar