You are viewing a plain text version of this content. The canonical link for it is here.

Posted to cvs@httpd.apache.org by mi...@apache.org on 2013/01/11 23:53:51 UTC

svn commit: r1432322 - in /httpd/httpd/trunk: docs/log-message-tags/next-number docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c

Author: minfrin
Date: Fri Jan 11 22:53:50 2013
New Revision: 1432322

URL: http://svn.apache.org/viewvc?rev=1432322&view=rev
Log:
mod_ssl: Allow the SSLUserName to be used to control the username passed
by the FakeBasicAuth option. PR52616.

Modified:
    httpd/httpd/trunk/docs/log-message-tags/next-number
    httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
    httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c

Modified: httpd/httpd/trunk/docs/log-message-tags/next-number
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/log-message-tags/next-number?rev=1432322&r1=1432321&r2=1432322&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/log-message-tags/next-number (original)
+++ httpd/httpd/trunk/docs/log-message-tags/next-number Fri Jan 11 22:53:50 2013
@@ -1 +1 @@
-2434
+2435

Modified: httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml?rev=1432322&r1=1432321&r2=1432322&view=diff
==============================================================================
--- httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml (original)
+++ httpd/httpd/trunk/docs/manual/mod/mod_ssl.xml Fri Jan 11 22:53:50 2013
@@ -1282,12 +1282,15 @@ The available <em>option</em>s are:</p>
     be used for access control. The user name is just the Subject of the
     Client's X509 Certificate (can be determined by running OpenSSL's
     <code>openssl x509</code> command: <code>openssl x509 -noout -subject -in
-    </code><em>certificate</em><code>.crt</code>). Note that no password is
-    obtained from the user. Every entry in the user file needs this password:
-    ``<code>xxj31ZMTZzkVA</code>'', which is the DES-encrypted version of the
-    word `<code>password</code>''. Those who live under MD5-based encryption
-    (for instance under FreeBSD or BSD/OS, etc.) should use the following MD5
-    hash of the same word: ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
+    </code><em>certificate</em><code>.crt</code>). The optional <directive
+    module="mod_ssl">SSLUserName</directive> directive can be used to
+    specify which part of the certificate Subject is embedded in the username.
+    Note that no password is obtained from the user. Every entry in the user
+    file needs this password: ``<code>xxj31ZMTZzkVA</code>'', which is the
+    DES-encrypted version of the word `<code>password</code>''. Those who
+    live under MD5-based encryption (for instance under FreeBSD or BSD/OS,
+    etc.) should use the following MD5 hash of the same word:
+     ``<code>$1$OXLyS...$Owx8s2/m9/gfkcRVXzgoE/</code>''.</p>
 </li>
 <li><code>StrictRequire</code>
     <p>
@@ -2039,9 +2042,9 @@ string. In particular, this may cause th
 <code>REMOTE_USER</code> to be set.  The <em>varname</em> can be
 any of the <a href="#envvars">SSL environment variables</a>.</p>
 
-<p>Note that this directive has no effect if the
-<code>FakeBasicAuth</code> option is used (see <a
-href="#ssloptions">SSLOptions</a>).</p>
+<p>When the <code>FakeBasicAuth</code> option is enabled, this directive
+instead controls the value of the username embedded within the basic
+authentication header (see <a href="#ssloptions">SSLOptions</a>).</p>
 
 <example><title>Example</title>
 <highlight language="config">

Modified: httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c
URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c?rev=1432322&r1=1432321&r2=1432322&view=diff
==============================================================================
--- httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c (original)
+++ httpd/httpd/trunk/modules/ssl/ssl_engine_kernel.c Fri Jan 11 22:53:50 2013
@@ -957,7 +957,7 @@ int ssl_hook_UserCheck(request_rec *r)
     SSLConnRec *sslconn = myConnConfig(r->connection);
     SSLSrvConfigRec *sc = mySrvConfig(r->server);
     SSLDirConfigRec *dc = myDirConfig(r);
-    char *clientdn;
+    char *user;
     const char *auth_line, *username, *password;
 
     /*
@@ -1023,7 +1023,19 @@ int ssl_hook_UserCheck(request_rec *r)
         OPENSSL_free(cp);
     }
 
-    clientdn = (char *)sslconn->client_dn;
+    /* use SSLUserName if defined, otherwise use the full client DN */
+    if (dc->szUserName) {
+        user = ssl_var_lookup(r->pool, r->server, r->connection,
+                                   r, (char *)dc->szUserName);
+        if (!user || !user[0]) {
+            ap_log_rerror(
+                    APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(02434) "Failed to set FakeBasicAuth username to '%s', did not exist in certificate", dc->szUserName);
+            return DECLINED;
+        }
+    }
+    else {
+        user = (char *)sslconn->client_dn;
+    }
 
     /*
      * Fake a password - which one would be immaterial, as, it seems, an empty
@@ -1038,7 +1050,7 @@ int ssl_hook_UserCheck(request_rec *r)
      */
     auth_line = apr_pstrcat(r->pool, "Basic ",
                             ap_pbase64encode(r->pool,
-                                             apr_pstrcat(r->pool, clientdn,
+                                             apr_pstrcat(r->pool, user,
                                                          ":password", NULL)),
                             NULL);
     apr_table_setn(r->headers_in, "Authorization", auth_line);

Re: svn commit: r1432322 - in /httpd/httpd/trunk: docs/log-message-tags/next-number docs/manual/mod/mod_ssl.xml modules/ssl/ssl_engine_kernel.c

Posted by Kaspar Brand <ht...@velox.ch>.

On 11.01.2013 23:53, minfrin@apache.org wrote:
> Author: minfrin
> Date: Fri Jan 11 22:53:50 2013
> New Revision: 1432322
> 
> URL: http://svn.apache.org/viewvc?rev=1432322&view=rev
> Log:
> mod_ssl: Allow the SSLUserName to be used to control the username passed
> by the FakeBasicAuth option. PR52616.

[...]

> -<p>Note that this directive has no effect if the
> -<code>FakeBasicAuth</code> option is used (see <a
> -href="#ssloptions">SSLOptions</a>).</p>
> +<p>When the <code>FakeBasicAuth</code> option is enabled, this directive
> +instead controls the value of the username embedded within the basic
> +authentication header (see <a href="#ssloptions">SSLOptions</a>).</p>

This patch changes the semantics of the FakeBasicAuth option in a
non-obvious, but potentially backwards-incompatible/surprising way -
imagine an existing configuration where SSLUserName is lying around and
FakeBasicAuth is set (i.e., the former directive is ineffective /
ignored by current mod_ssl versions). If someone is upgrading, then all
of a sudden, the existing DN entries in an authn file become invalid,
and if other (non-DN-based) entries are present which happen to map to
the attribute specified with SSLUserName, cert-based authentication
might allow access which wasn't intended in the first place.

I would prefer a more explicit way of configuring this option (perhaps
an additional SSLOption which is mutually exclusive with FakeBasicAuth).
At least for the 2.4 backport, I think it's not appropriate to change
the behavior in this rather silent way.

Kaspar